Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Encrypt Cloud Storage Data By Default

Posted by timothy on from the praise-be-to-google dept.

jfruh writes "Worries about snooping are now a permanent part of our computing landscape, but Google is attempting to ameliorate those fears by encrypting all data on its Google Cloud Storage service by default. Data is encrypted with 128-bit AES, and you can manage the keys yourself or have Google do it for you. A Google spokesperson said that the company "does not provide encryption keys to any government."" (Also at SlashCloud.)

15 of 217 comments (clear)

  1. Lies Lies Lies by Anonymous Coward · · Score: 5, Insightful

    Just like how they already lied the first time. Lies Lies Lies. But I don't care. Go ahead and do that NSA thing.

    1. Re:Lies Lies Lies by onyxruby · · Score: 1, Insightful

      That this comment got modded +4 insightful shows how far Slashdot has fallen.

  2. Why should we trust you? by Mr.+Freeman · · Score: 4, Insightful

    And we have what guarantee, exactly, that they're telling the truth?

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    1. Re:Why should we trust you? by maxwell+demon · · Score: 3, Insightful

      Well, the question is whether only you have the keys.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  3. Patriot act? by hilather · · Score: 5, Insightful

    A Google spokesperson said that the company "does not provide encryption keys to any government.""

    As Google is a U.S. based company, I'm pretty sure this is a bald faced lie due to the "Patriot Act".

  4. does not provide encryption keys by Anonymous Coward · · Score: 5, Insightful

    Until they receive a National Security Letter and a gag order to boot.

  5. What does this mean exactly? by synir · · Score: 5, Insightful

    "A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."

    What does this mean, exactly? That they would provide encryption keys in accordance with the law? That they could?

    A robust system would mean the hosting company wouldn't be more able to decypher encrypted damage than anyone else. Are they offering that?

  6. Call me paranoid by TubeSteak · · Score: 5, Insightful

    "If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys," Barth wrote. "We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."

    That sounds meaningless.
    All that it prevents is interception of data to/from your computer.
    It does nothing to stop the NSA from requesting your data from Google, who would control your encryption keys.

    A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

    Which is exactly my point. If they control your key, they have access to your data.

    --
    [Fuck Beta]
    o0t!
  7. Red riding hood by TheP4st · · Score: 4, Insightful
    When I was 8 years old Red Riding Hood seemed convincing enough to be true.

    Fool me once..

    --
    "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  8. Don't trust the cloud, period. by C3ntaur · · Score: 4, Insightful

    If your data is worth encrypting, do you really want it in the cloud at all? The internet never forgets. Given the rapid advances in both raw compute power and cryptography, something that takes unimaginably long to brute force today, might be trivial to crack in just a few years.

    --
    Loading...
  9. Re:Fool me once.... by tftp · · Score: 5, Insightful

    You cannot trust Google or the cloud with your data.

    If you store your data in the cloud, it means that:

    • The 3rd party knows that you have some data stored, and they know its size, and they know how often you modify it or add to it. The observer does not need to have access to your private key to see that.
    • You can never be sure that the data that you deleted was in fact deleted. In most cases, due to existence of tiered backups, it will take a long time to purge your data from an honestly operated system. If the system is ran by a Google-like entity, nothing ever gets deleted.
    • If the observer wishes to decrypt your data, they can always use the $5 wrench, or (if they want to stay undetected) they can send people to duplicate your HDD or to install a keylogger.

    The best way to store your data is on your own HDD, encrypted. The observer still can break into your house, but they would have to do it without any information leading to that. (Such as they wouldn't know that you even have a computer, let alone how often you modify certain files.) Modern terabyte drives (USB 3.0 or eSATA) remove every reason to bother with cloud storage - unless you want an additional bottleneck in form of the Internet link and a bunch of additional vulnerabilities, often for a small extra fee. Most people would be perfectly happy with an encrypted USB Flash disk (IronKey etc.) that they can always carry with them.

  10. ... only in accordance with the law. by Anonymous Coward · · Score: 3, Insightful

    The summary leaves out a critical bit of the company spokesperson's quote from the article: they won't give anyone your encryption keys directly, but they'll happily USE the encryption keys they're managing for you to decrypt your data and give the decrypted data to anyone who makes a legal request.

    All this buys you is a tiny bit of defense in depth in case someone tracks down the Google server(s) that are storing your data, breaks into the data center, and physically yanks the hard drive out of the machine. Doesn't do anything to prevent a government from getting access by asking politely, and doesn't do anything to address the wide-open front door of someone guessing your account password.

    If you care at all, you should be using client-side encryption. If you don't, this is just adding extra latency.

  11. Sing the song by gmuslera · · Score: 4, Insightful

    Obama killed the cloud star. Google must comply with legislation, they could deny (at least till NSA summons another secret law that essentially says all your data are belong to us), but at least for citizens of other countries, or americans that contacts them they must give the data anyway. Once they put in the tables laws that force you to do something and not speak about it you can't trust in anything they say, you just can't decide if its true or is a lie that is forced to say (even assuming their best good will in this topic).

  12. Re:what about decryption keys by Anonymous Coward · · Score: 1, Insightful

    Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

    Anyway, you can already do this for Chrome's sync data. I setup a pass phase for my sync data thats only known to my browser, and never sent to Google. Of course, that means I trust Chrome, but at least I don't have to trust them to protect the data on their end.

    This (letting the user hold the keys) is exactly what we should be rooting for. I'm amazed how negative the posts here are.

  13. Re:TFA by martin-boundary · · Score: 3, Insightful

    Which is how it should all be done. Relying on Google's honesty, or some Google employee who doesn't want his fingers broken one by one, is just false security.

    No.

    That is not how it should be done.

    It should be done as follows:

    You DO NOT give Google your data IN THE FIRST PLACE.

    They have no business keeping your data for you. The sooner you learn this, the sooner you can start on the path to become a free man.