Google has announced a new service for its Google Cloud Platform (GCP) that allows users to create, use, rotate, and destroy symmetric encryption keys. Although the new Cloud Key Management Service (KMS) is integrated with Google's Cloud Identity Access Management and Cloud Audit Logging, keys managed using KMS can also be used independently.
Previous to Google KMS, Google Cloud Platform users could either choose to let GCP automatically handle cryptographic keys for them, or provide their own keys for server-side encryption. Google's Key Management Service adds the option to manage cloud-based keys and to encrypt and decrypt data using them via an API. Google Cloud KMS also allows to rotate keys, either manually or based on a schedule. When keys are rotated, old ones remain active for decryption while only one primary key is used for encrypting new data.
According to Google, Cloud KMS is able to easily handle millions of encryption keys and provides low latency access to keys. It is worth noting that GCP encrypts data by breaking it into subfile chunks, which each chunk encrypted using its own individual data encryption key (DEK). DEKs, are stored near the data they encrypt and are protected using a key encryption key (KEK), which is what you manage using Cloud KMS.
Google Cloud KMS uses AES256 keys provided by Google's open source BoringSSL library. Google additionally notes that their algorithm works in Galois/Counter Mode, which aims to provide authenticated encryption at high data rates thanks to the use of pipelines or parallelization.