This document has been a long-time coming, and finally lets us talk about the encryption we perform on your behalf when transiting outside our physical boundaries. There are lots of paths, but I think the diagram [1] captures it well.
Edit: Of particular note is that if you have a VM in say us-central1 talking to another of your VMs in us-east1, we encrypt that traffic across regions (even though it's riding our backbone).
Disclosure: I work on Google Cloud (and even sort of contributed to this).
When are you going to support end-to-end encryption for consumer apps? We use Syncdocs https://syncdocs.com to encrypt Google Drive, but it would be better to use an entirely Google soultion.
The key thing here for my use-case is this point (which took a lot of digging to uncover when I last dove into this a year or so ago):
> Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but not necessarily encrypted.
Previously I believe this was not explicitly called out, but this is very important for GKE! In the default configuration, Kubernetes can arbitrarily bounce Service traffic between nodes, since the cloud LB selects a node at random, and then the Service iptables rules redirect the traffic to a node which hosts a pod that backs the Service.
So if your regulatory environment (or SLA) requires end-to-end encryption, you are not covered using GKE out of the box.
Options I've found to resolve this:
1) TLS to-the-pod
2) Using source-IP-address-preservation to ensure that the Service doesn't reroute your traffic to another node.
I'd really prefer if Google made this limitation a bit clearer in their GKE docs, since it's a major security gotcha, and took me a lot of digging to piece together. But it's definitely a big step forwards that the encryption policy is spelled out explicitly here.
Does this section on Istio apply to your use-case?
> If you want to implement mutual authentication and encryption for workloads, you can use istio auth. Specifically, for a workload in Kubernetes, Istio auth allows a cluster-level CA to generate and distribute certificates, which are then used for pod-to-pod mutual Transport Layer Security (mTLS).
That was our intent (though we can always be clearer). If your regulatory environment requires that level of encryption, you'll want to use something, like Istio, that provides pod-to-pod mTLS (likely via a proxy or service mesh or both).
My use-case is currently quite simple (very few services) and so getting a TLS cert into each pod is easy enough. (I use the cluster CA to manually provision certs for the small number of private services that I have, and Acme certs for all of my publicly accessible services).
As I roll out more services I've definitely got my eye on Istio, since auto-provisioned mTLS certs will be very useful. It does seem a bit bleeding edge though; it's only on version 0.3.
this is a big deal for a lot of people. I was always under the impression (I'm pretty sure I had someone at GCP tell me at one point too) that basically all network communication was encrypted behind the scenes, even within your infrastructure. This is clearly not correct.
I asked questions about this exact same thing during a deep dive on EKS at reInvent a couple weeks ago; unsurprisingly the same issue exists there.
Right. Encryption in transit within a building at line rate (and more importantly low latency) is hard. To my knowledge, none of the providers do this currently, otherwise they'd be talking about it. This is us saying it's time to talk about it :).
Military stuff uses "XOR the data with a secret keystream", which is zero latency (okay - more like 10 nanoseconds of latency), and can run arbitrarily fast.
The only disadvantage is one has to use a stream cipher, and those have fallen out of favor lately...
The latency isn't from the cipher; it's from touching the data an additional time. A NIC with inline encryption adds negligible latency but Google probably doesn't have those.
The problem is that Google (and all other large cloud providers) use an SDN, and so you can't just encrypt traffic at the NIC level -- you need to just encrypt the encapsulated overlay traffic, while leaving the underlay unencrypted (so that intermediate nodes can route the overlay network traffic).
There are a number of technologies that support this kind of thing at the kernel level, but 1) layering these onto an existing SDN is not trivial, and 2) the extra encoding/decoding will absolutely have a performance impact if you're trying to do it at line rate on a 10Gb NIC, e.g. see https://www.weave.works/blog/weave-net-performance-fast-data....
Since they design their own NIC, Google certainly has the capability to include whatever features they want. Yet Andromeda appears to be implemented in software.
Sure. Firebase runs on top of Google Cloud. So if you say use Firebase Functions, that's a "Google Cloud Service" in the diagram [1] in the article. Similarly, Firestore is also a "Google Cloud Service", so all requests to it (from say your Firebase Function) are encrypted as well.
Disclosure: I work on Google Cloud (but disclaimer: not on Firebase).
Thanks @boulos. Appreciate it. I'm unclear on what encrypted at rest means. For example - I'd expect the data in Google cloud store to be encrypted (or have an option to be encrypted) so that if someone were to get access to our DB admin account, they won't be able to see the JSON data in plain text. The only way to see the data would be through API access which can be configured for ACL (and by Google cloud store so we can index and query data which is encrypted at rest).
Encryption at rest [1] protects against someone who has access to the encrypted bytes from not being able to decrypt it. That is, if someone got the raw bytes off our storage somehow, it's not useful to them. If someone has access to your account, then the storage system can't tell if it's you or not.
Data in Datastore (and Firestore fwiw, that needs an update) is encrypted at rest, and today's paper discusses how it's also encrypted in transit between your app and the service. I don't believe Datastore supports Customer Supplied Encryption Keys [2] (yet) but that lets you have a key that even Google can't decrypt the data without you providing it. That's a pretty good way to separate permission from keys.
encrypted at rest here means that any data sitting on disk is encrypted. Probably ACLed to the service requiring it. For example, when bigquery writes to disk, it gets encrypted with a key that BQ only has access to.
Edit: Of particular note is that if you have a VM in say us-central1 talking to another of your VMs in us-east1, we encrypt that traffic across regions (even though it's riding our backbone).
Disclosure: I work on Google Cloud (and even sort of contributed to this).
[1] https://cloud.google.com/images/security/whitepaper-transit-...