nCipher Security News Release

Thales Supports Customer-Supplied Encryption Keys on Google Cloud Platform to give Businesses Additional Options for Control

nShield HSM “bring your own key” now available for Google customers supplying keys

Thales, a leader in critical information systems, cybersecurity and data protection, announces support for Google Cloud Platform’s Customer-Supplied Encryption Key (CSEK) functionality. Google Cloud Platform customers can now generate, protect, and supply their encryption keys to the cloud using an on-premise, FIPS-certified nShield hardware security module (HSM) from Thales. The new CSEK support empowers enterprise customers who want to move workloads and data to the Google Cloud Platform, but need to retain control of their key material on-premise.

Click to Tweet: BYOK w/@Thalesesecurity @Google Cloud Platform makes it easier for customers to control #encryption keys

Jon Geater, CTO at Thales eSecurity says:

“While most enterprises want to take advantage of public clouds, some have requirements to generate and manage encryption key material on-premise. In introducing Customer-Supplied Encryption Keys, Google is allowing customers to implement a separation of duties as required. Customers using nShield HSMs and leveraging Google Cloud Platform can manage their keys from their own environments for use in the cloud, giving them greater control over how key material is generated.”

Protected by FIPS 140-2 Level 3 certified hardware, nShield uses strong methods to generate keys based on nShield’s high-entropy random number generator. Following generation, nShield exports customer keys into the cloud for one-time use via Google’s Customer-Supplied Encryption Key functionality. Using this feature, keys are only stored in memory, and discarded by Google after use. Customers can also leverage nShield HSMs on-premise for key storage protection and resilient disaster recovery mechanisms, giving them greater control over their key lifecycle.

Many enterprises must meet strict security standards due to internal or regulatory compliance rules, which sometimes presents a barrier to cloud usage. Thales nShield support for Google’s Customer-Supplied Encryption Key allows them to adopt key management practices that strengthen their cloud security and subsequently helps them implement their compliance controls.

Thales nShield HSMs are FIPS 140-2 Level 3 certified, tamper-resistant devices. nShield HSMs are also Common Criteria certified and are recognized as Qualified Signature Creation Devices (QSCDs) under the European eIDAS requirements. Thales is technology member of the Google Cloud Platform partner program.


Dorothée Bonneil
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Liz Harris
Thales eSecurity Media Relations
+44 (0)1223 723612