GCP Secured
Published on

Encryption in GCP

  • Chunking
  • Wrapping DEK's
  • KEKs are stored in KMS.
  • KMS is run on multiple machines in data centers globally.
    • KMS keys are wrapped with the KMS master key, which is stored in Root KMS.
  • Root KMS is much smaller than KMS and runs only on dedicated machines in each data center.
    • Root KMS keys are wrapped with the root KMS master key, which is stored in the root KMS master key distributor.
  • The root KMS master key distributor is a peer-to-peer infrastructure running concurrently in RAM globally on dedicated machines; each gets its key material from other running instances.
    • If all instances of the distributor were to go down (total shutdown), a master key is stored in (different) secure hardware in (physical) safes in limited Google locations.
    • The root KMS master key distributor is currently being phased in, to replace a system that operated in a similar manner but was not peer to peer.
  • KEK's are rotated every 90 days, and up to 20 versions are safed.
  • This means the data needs to be re encrypted atleast once every 5 years → But in practice it's a lot more frequent.