Google To Encrypt Cloud Storage Data By Default

jfruh writes "Worries about snooping are now a permanent part of our computing landscape, but Google is attempting to ameliorate those fears by encrypting all data on its Google Cloud Storage service by default. Data is encrypted with 128-bit AES, and you can manage the keys yourself or have Google do it for you. A Google spokesperson said that the company "does not provide encryption keys to any government."" (Also at SlashCloud.)

Lies Lies Lies

Just like how they already lied the first time. Lies Lies Lies. But I don't care. Go ahead and do that NSA thing.

Why should we trust you?

[Mr.+Freeman]

And we have what guarantee, exactly, that they're telling the truth?

Patriot act?

[hilather]

A Google spokesperson said that the company "does not provide encryption keys to any government.""

As Google is a U.S. based company, I'm pretty sure this is a bald faced lie due to the "Patriot Act".

does not provide encryption keys

Until they receive a National Security Letter and a gag order to boot.

Re:what about decryption keys

They don't provide any keys. They provide the decrypted data.

What does this mean exactly?

[synir]

"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."

What does this mean, exactly? That they would provide encryption keys in accordance with the law? That they could?

A robust system would mean the hosting company wouldn't be more able to decypher encrypted damage than anyone else. Are they offering that?

Re:What does this mean exactly?

[jeti]

It means that they don't provide the encryption keys. And the unencrypted data is provided to government agencies in accordance with the law. Since there are secret laws, we don't know under what conditions the data is provided.

Re:What does this mean exactly?

[icebike]

"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."

What does this mean, exactly? That they would provide encryption keys in accordance with the law?

It means they will decrypt the data and then hand it over.

Its server side encryption. The server has the keys.

Call me paranoid

[TubeSteak]

"If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys," Barth wrote. "We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."

That sounds meaningless.
All that it prevents is interception of data to/from your computer.
It does nothing to stop the NSA from requesting your data from Google, who would control your encryption keys.

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

Which is exactly my point. If they control your key, they have access to your data.

TFA

[PPH]

Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.

Which is how it should all be done. Relying on Google's honesty, or some Google employee who doesn't want his fingers broken one by one, is just false security.

Fool me once....

[larry+bagina]

Given what we know about the NSA, NSLs, and Lavabits, " [we do] not provide encryption keys to any government" is a worthless statement. With an NSL, Google will turn over everything and won't be able to say anything about it. With an NSL, Google will be required to lie (like claiming data is encrypted when it's not). Lavabits received an NSL and chose to shut down rather than honor it and sell out their customers. Google compiles with their NSLs.

You cannot trust Google or the cloud with your data.

Re:Fool me once....

[tftp]

You cannot trust Google or the cloud with your data.

If you store your data in the cloud, it means that:

• The 3rd party knows that you have some data stored, and they know its size, and they know how often you modify it or add to it. The observer does not need to have access to your private key to see that.
• You can never be sure that the data that you deleted was in fact deleted. In most cases, due to existence of tiered backups, it will take a long time to purge your data from an honestly operated system. If the system is ran by a Google-like entity, nothing ever gets deleted.
• If the observer wishes to decrypt your data, they can always use the $5 wrench, or (if they want to stay undetected) they can send people to duplicate your HDD or to install a keylogger.

The best way to store your data is on your own HDD, encrypted. The observer still can break into your house, but they would have to do it without any information leading to that. (Such as they wouldn't know that you even have a computer, let alone how often you modify certain files.) Modern terabyte drives (USB 3.0 or eSATA) remove every reason to bother with cloud storage - unless you want an additional bottleneck in form of the Internet link and a bunch of additional vulnerabilities, often for a small extra fee. Most people would be perfectly happy with an encrypted USB Flash disk (IronKey etc.) that they can always carry with them.

Re:Fool me once....

[TheGratefulNet]

Google compiles with their NSLs.

interesting. the rest of us use gcc. does nsl optimize better?

Red riding hood

[TheP4st]

When I was 8 years old Red Riding Hood seemed convincing enough to be true.

Fool me once..

THIS IS NOT GOOGLE DRIVE

[Nimey]

This is not Google Drive that's getting automatic encryption, it's their Cloud Storage, which is only available to developers.

Don't trust the cloud, period.

[C3ntaur]

If your data is worth encrypting, do you really want it in the cloud at all? The internet never forgets. Given the rapid advances in both raw compute power and cryptography, something that takes unimaginably long to brute force today, might be trivial to crack in just a few years.

Convenient

[elysiuan]

In other news leaked internal NSA documents show that they only begin to have trouble cracking AES at 256-bit key sizes and higher.

Sing the song

[gmuslera]

Obama killed the cloud star. Google must comply with legislation, they could deny (at least till NSA summons another secret law that essentially says all your data are belong to us), but at least for citizens of other countries, or americans that contacts them they must give the data anyway. Once they put in the tables laws that force you to do something and not speak about it you can't trust in anything they say, you just can't decide if its true or is a lie that is forced to say (even assuming their best good will in this topic).

Re:what about decryption keys

That's funny, because here I thought that Google's Cloud Storage was going to be hosted in NSA's new data center. Brilliant really. Why bring the NSA to you when it's less trouble to let the NSA host your shit for you.

Goggle complies with local laws ...

[perpenso]

Google complies with local laws and regulations. Remember their previous venture in China:
"The new local Google site, expected to be launched Wednesday at Google.cn, will include notes at the bottom of results pages that disclose when content has been removed, said Andrew McLaughlin, senior policy counsel for Google. "Google.cn will comply with local Chinese laws and regulations," he said in a statement. "In deciding how best to approach the Chinese--or any--market, we must balance our commitments to satisfy the interest of users, expand access to information, and respond to local conditions.""
http://news.cnet.com/Google-to-censor-China-Web-searches/2100-1028_3-6030784.html

When a legal order to turn over info is received they will do it. The only question is what constitutes a legal order.

Re:what about decryption keys

[Znork]

According to TFA and the blog post it's server side encryption. Which, of course, does absolutely nothing for security as the NSA will just get the data before it's encrypted.

If you don't want your data read you encrypt it before sending it to someone else.

Re:what about decryption keys

[DrXym]

Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

And the fact the keys are symmetric and held by Google renders the entire exercise entirely worthless. If Google have the key to encrypt/decrypt data then they can just hand it to the NSA or whomever at the same time they hand over the data.

The proper and correct thing to do is to provide a pluggable API in their client apps that allows an extension running client side to manage the key and encrypt / decrypt the data. And similarly for their cloud APIs for languages like Java.

Google would have absolutely no idea what the data contains and absolutely no way to retrieve it either. It might mean certain functionality in their apps / services is affected in some ways (e.g. encrypted folders are inaccessible via a browser) but I assume they could spell out the consequences and people motivated to encrypt data would recognize those limitations.