Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny
September 29, 2021Build and run a Discord bot on top of Google Cloud
September 29, 2021The Key Inventory Dashboard is just the first step — stay tuned for announcements in the coming months about additional ways we’re bringing increased transparency to customers’ key inventory.
Interoperability: PKCS#11
Today, customers need to use the Cloud KMS API to make use of Cloud KMS or Cloud HSM. But we know that many customers want (and sometimes need) to use the PKCS#11 standard to allow their applications to make use of Google Cloud cryptography. We want to support these needs while also giving customers more options for easily integrating their applications and infrastructure with Google Cloud.
Our Cloud KMS PKCS #11 Library – an open source project now in General Availability – allows you to access software keys in Cloud KMS or hardware keys in Cloud HSM and use them for encrypt and decrypt operations with the PKCS #11 v2.40 API. Additionally, we are announcing that this library is being made available as an open source project and we welcome the community’s contributions for possible inclusion in subsequent versions.
Our investment in the PKCS#11 library is one of several efforts to increase customer ease of integrating their applications and infrastructure with Google Cloud. As we continue to plan new ways for customers to make use of Cloud KMS, we welcome additional customer feedback about what encryption features and methods will be most helpful in bringing more data and workloads to Google Cloud.
Automation: Variable Key Destruction and Fast Key Deletion
Through improved automation, customers now have the ability to decide how long after they schedule a key for destruction that destruction will occur, as well as additional assurance about how quickly Google will fully purge customers’ destroyed key material.
For newly created or imported software or hardware keys, customers may use our new Variable Key Destruction feature to specify a length of time between 0-120 days (for imported keys) and 1-120 days (for non-imported keys created within Google Cloud) that a key will remain in “Scheduled for destruction” state after a customer requests the key to be destroyed. This increased control and automation means that customers can specify the destruction window that is right for them. Customers who need to destroy keys very shortly after attempting to do so can rest assured that their keys will be destroyed more quickly; alternatively, those who want a longer window to prevent inadvertent key destruction may opt for this. In all cases, customers may specify a key destruction window that has day, hour, or even minute-level granularity.
Once a customer key has been destroyed, our new Fast Key Deletion functionality – rolling out by late October – will assure customers that all remnants of their destroyed key material will be fully purged from all parts of Google’s infrastructure. Fast Key Deletion reduces Google’s data deletion commitment on destroyed keys from 180 days to 45 days. This means that all traces of destroyed key material will now be completely removed from Google’s data centers no later than 45 days after the time of destruction.
While Google completely purges all key material that customers want to destroy, customers who import keys to Google Cloud now have new options to recover keys once they are destroyed. With the new Key Re-Import feature, imported keys previously listed in “Destroyed” state can be restored to “Enabled” by re-uploading the original key material. Re-Import can be conducted both via the command line interface as well as via Cloud Console. This allows customers with imported keys who purposefully destroyed a key or who accidentally destroyed a key to later reimport that key.