Topic - Google Cloud KMS and support for custom keys
I was exploring the documentation for the google cloud KMS. It mentions that the Cloud KMS is more of management service that helps controlling and managing the DEKs which are used by google in 2 ways CMEK - Allowing google to create KEK and us to manage the rotation and other aspects CMEK - Allowing to import your own key which will act as KEK on top of google DEK.
From what I understand and seen, cloud KMS allows control over the key that encrypts the DEK.
Does Google Cloud KMS also support storing our custom private keys (CSEK) for encryption and usage/signing.
Customer-supplied Encryption Keys (CSEK) are a feature of Google Cloud Storage and Google Compute Engine.Google uses the encryption key supplied by the customer to protect the Google-generated keys used to encrypt and decrypt the user’s data [1].
When a customer supplied a CSEK (Customer Supplied Encryption Key) Cloud storage does not store the CSEK key permanently on the google server or manage the key. You have to provide the key for each cloud storage operation, and your key is purged from Google’s servers after the operation is complete. Cloud Storage stores only a cryptographic hash of the key so that in the future if the customer again supplies the key, it can be validated against the hash. But the key cannot be recovered from this hash, and the hash cannot be used to decrypt the data [2].
In Case of Google Compute Engine also, Google does not store your keys on it’s servers and cannot access your protected data unless you provide the key. If you by mistake forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key. For instance when you delete a persistent disk, google discards the cipher keys, rendering the data irretrievable [3].
Useful Links:
[1] https://cloud.google.com/security/encryption/customer-supplied-encryption-keys [2] https://cloud.google.com/storage/docs/encryption/customer-supplied-keys [3] https://cloud.google.com/compute/docs/disks/customer-supplied-encryption