Google announced that Google Cloud Storage now encrypts all data before it’s written to disk. Better yet, this will cost you nothing extra. In fact, you don’t even have to do anything extra or change any settings. Data is simply decrypted when read by an authorized user.
“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys,” writes product manager Dave Barth in a blog post. “We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”
“Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner,” Barth adds. “These keys are additionally encrypted by one of a regularly rotated set of master keys. Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”
The new encryption is already active for all new data as it’s written to Google Cloud Storage. This goes for creating new objects or overwriting existing ones.
Don’t worry about your old stuff, unless you need it to happen immediately. Google says it will deploy encryption to older objects over the coming months. If you need this to happen sooner for some reason, I guess you can just go overwrite your stuff yourself.