How To Secure Data In Transit

This is the third whitepaper on how Google uses encryption to protect your data. In this whitepaper, you will detect more than particular on encryption in transit for Google Cloud, including Google Deject Platform and Google Workspace.

For all Google products, nosotros strive to proceed client data highly protected and to exist as transparent as possible about how we secure it.

The content independent herein is correct as of Dec 2017. This whitepaper represents the status quo equally of the fourth dimension information technology was written. Google Cloud's security policies and systems might change going forrad, every bit nosotros continually meliorate protection for our customers.

Google Cloud Encryption in Transit

CIO-level summary

Google employs several security measures to help ensure the authenticity, integrity, and privacy of information in transit.
For the use cases discussed in this whitepaper, Google encrypts and authenticates data in transit at one or more network layers when data moves outside concrete boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic inside a VPC network and peered VPC networks is encrypted.
Depending on the connection that is being made, Google applies default protections to information in transit. For instance, we secure communications between the user and the Google Front End (GFE) using TLS.
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for information as it moves from a user to an application, or virtual machine to virtual car. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
Google works actively with the manufacture to help bring encryption in transit to everyone, everywhere. Nosotros take several open-source projects that encourage the utilize of encryption in transit and information security on the Internet at big including Certificate Transparency, Chrome APIs, and secure SMTP.
Google plans to remain the manufacture leader in encryption in transit. To this end, we dedicate resource toward the evolution and comeback of encryption technology. Our work in this area includes innovations in the areas of Primal Transparency and post-quantum cryptography.

Introduction

Security is often a deciding factor when choosing a public cloud provider. At Google, security is of the utmost importance. Nosotros piece of work tirelessly to protect your information—whether information technology is traveling over the Cyberspace, moving inside Google's infrastructure, or stored on our servers.

Central to Google's security strategy are hallmark, integrity, and encryption, for both data at rest and in transit. This paper describes our approach to encryption in transit for Google Cloud.

For information at residuum, see Encryption at Residue in Google Cloud Platform. For an overview across all of Google Security, see Google Infrastructure Security Design Overview.

Audience: this certificate is aimed at CISOs and security operations teams using or because Google Cloud.

Prerequisites: in addition to this introduction, nosotros presume a basic understanding of encryption and cryptographic primitives.

Authentication, Integrity, and Encryption

Google employs several security measures to assistance ensure the authenticity, integrity, and privacy of data in transit.

Authentication: we verify the information source, either a human or a process, and destination.
Integrity: we make certain data you send arrives at its destination unaltered.
Encryption: we make your data unintelligible while in transit to go along it private. Encryption is the process through which legible data (plaintext) is made illegible (ciphertext) with the goal of ensuring the plaintext is only accessible by parties authorized by the owner of the data. The algorithms used in the encryption procedure are public, simply the key required for decrypting the ciphertext is individual. Encryption in transit frequently uses asymmetric key commutation, such as elliptic-curve-based Diffie-Hellman, to found a shared symmetric key that is used for information encryption. For more than information on encryption, see Introduction to Modernistic Cryptography.

Encryption tin be used to protect data in three states:

Encryption at rest protects your data from a system compromise or data exfiltration by encrypting data while stored. The Avant-garde Encryption Standard (AES) is often used to encrypt data at rest.
Encryption in transit: protects your data if communications are intercepted while data moves between your site and the cloud provider or between two services. This protection is achieved by encrypting the information before transmission; authenticating the endpoints; and decrypting and verifying the data on inflow. For example, Ship Layer Security (TLS) is often used to encrypt data in transit for transport security, and Secure/Multipurpose Net Post Extensions (S/MIME) is used frequently for email bulletin security.
Encryption in utilize: protects your data in memory from compromise or data exfiltration by encrypting information while being processed, east.m. Confidential Computing.

Encryption is one component of a broader security strategy. Encryption in transit defends your data, after a connection is established and authenticated, confronting potential attackers by:

Removing the need to trust the lower layers of the network which are normally provided by third parties
Reducing the potential set on surface
Preventing attackers from accessing information if communications are intercepted

With adequate authentication, integrity, and encryption, information that travels between users, devices, or processes can exist protected in a hostile environment. The remainder of this paper explains Google'due south approach to the encryption of data in transit and where it is applied.

Google's Network Infrastructure

Physical boundaries

Google applies unlike protections to data in transit when it is transmitted outside a physical boundary controlled by or on behalf of Google. A physical boundary is the barrier to a physical space that is controlled past or on behalf of Google, where we tin can ensure that rigorous security measures are in identify. Physical admission to these locations is restricted and heavily monitored. Merely a small-scale percentage of Google employees have access to hardware. Data in transit inside these concrete boundaries is generally authenticated, only may not be encrypted by default - you can choose which additional security measures to apply based on your threat model.

Due to the calibration of the global Internet, we cannot put these aforementioned physical security controls in place for the fiber links in our WAN, or anywhere outside of physical boundaries controlled by or on behalf of Google. For this reason, we automatically enforce additional protections outside of our concrete trust boundary. These protections include encryption of data in transit.

How traffic gets routed

To fully understand how encryption in transit works at Google, it is also necessary to explain how traffic gets routed through the Internet. This section describes how requests become from an end user to the appropriate Google Cloud service or customer application, and how traffic is routed between services.

A Google Cloud service is a modular cloud service that we offering to our customers. These services include computing, data storage, data analytics and machine learning. For example, Google Deject Storage and Gmail are both Google Cloud services. A client application is an application hosted on Google Cloud that y'all, as a Google client, tin build and deploy using Google Cloud services. Customer applications or partner solutions that are hosted on Google Cloud are not considered Google Cloud services¹. For example, an awarding you build using Google App Engine, Google Kubernetes Engine, or a VM in Google Compute Engine is a customer application.

The five kinds of routing requests discussed beneath are shown in Figure 1. This figure shows the interactions betwixt the various network components and the security in place for each connection.

Cease user (Internet) to a Google Cloud Service

Google Cloud services accept requests from effectually the world using a globally distributed organization called the Google Front End (GFE). GFE terminates traffic for incoming HTTP(S), TCP and TLS proxy traffic, provides DDoS attack countermeasures, and routes and load balances traffic to the Google Cloud services themselves. At that place are GFE points of presence around the globe with routes advertised via unicast or Anycast.

GFEs proxy traffic to Google Cloud services. GFEs road the user's request over our network backbone to a Google Cloud service. This connexion is authenticated and encrypted from GFE to the front-end of the Google Cloud service or customer application, when those communications leave a concrete boundary controlled by Google or on behalf of Google. Figure one shows this interaction (labelled connexion A).

Finish user (Net) to a customer application hosted on Google Cloud

There are several means traffic from the Internet can be routed to a customer application you host on Google Cloud. The manner your traffic is routed depends on your configuration, as explained below. Figure 1 shows this interaction (labelled connection B).

Cryptographic protections are provided to example configurations equally follows:

If yous are connecting via the VM'due south external IP, or via a network-load-counterbalanced IP, the connection does not get through the GFE. This connectedness is not encrypted by default and its security is provided at the user's discretion.
If you are connecting from a host on your bounds to a Google Cloud VM via a Deject VPN, the connection goes from/to your on-premises host, to the on-premises VPN, to the Cloud VPN, to the Google Deject VM. The connection is protected from the on-premises VPN to the Deject VPN with IPSec. The connection from the Deject VPN to the Google Deject VM is authenticated and encrypted by Google.
If y'all are connecting via Cloud Defended Interconnect, the connectedness goes from/to your on-premises host directly and the connection does not go through the GFE. This connection is not encrypted by default and its security is provided at the user'south discretion. You can use the Transport Layer Security (TLS) Layer 7 cryptographic protocol to encrypt application traffic over Dedicated Interconnect.
If you are using a Google Cloud HTTP(S) or TCP/SSL proxy Load Balancer external load balancer, consult Load Balancer product documentation.

Virtual Machine to Virtual Machine

VM-to-VM connections within VPC networks and peered VPC networks inside of Google's product network are authenticated and encrypted. This includes connections between client VMs and betwixt client and Google-managed VMs such every bit Cloud SQL. Figure 1 shows this interaction (labelled connectedness C).

Connectivity to Google APIs and services

Traffic handling differs depending on the location of the Google Deject service:

About Google APIs and services are hosted on Google Forepart Ends (GFEs); still, some services are hosted on Google-managed instances. For case, individual services admission and GKE masters for private clusters are hosted on Google-managed instances.

With Private Google Admission, VMs that don't have external IP addresses can access supported Google APIs and services, including client applications hosted on App Engine. For more information about access to Google APIs and services, come across Private access options for services.
If a Compute Engine VM instance connects to the external IP address of another Compute Engine VM case, traffic remains in Google's production network. Systems that are outside of Google's production network that connect to an external IP address of a Compute Engine VM case have traffic routed over the internet.

Figure 1 shows an external path (labeled connection D). Typical cases of this kind of routing request are:
- From a Compute Engine VM to Google Deject Storage
- From a Compute Engine VM to a Machine Learning API

From the VM to the GFE, Google Cloud services support protecting these connections with TLS past default². The connection is authenticated from the GFE to the service and encrypted if the connection leaves a physical boundary.

Google Cloud service to Google Deject service

Routing from one production service to another takes identify on our network backbone and may crave routing traffic outside of physical boundaries controlled past or on behalf of Google. Figure i shows this interaction (labelled connection E). An case of this kind of traffic is a Google Cloud Storage result triggering Google Cloud Functions. Connections between product services are encrypted if they leave a physical boundary, and authenticated within the concrete purlieus.

The user is routed to Google Cloud services across physical boundaries using ALTS encryption.

Figure i: Protection by default and options overlaid on a VPC network

Encryption in Transit by Default

Google uses various methods of encryption, both default and user configurable, for data in transit. The type of encryption used depends on the OSI layer, the type of service, and the physical component of the infrastructure. Figures 2 and 3 below illustrate the optional and default protections Google Cloud has in identify for layers iii, 4, and 7.

Encryption options for layers 3 and 4 include data traffic to the VM and across boundaries.

Figure ii: Protection by Default and Options at Layers 3 and 4 beyond Google Cloud

Encryption options for layer 7 include those for data in transit between VMs and to the Google Front End.

Figure three: Protection past Default and Options at Layer 7 across Google Cloud³

The rest of this department describes the default protections that Google uses to protect data in transit.

User to Google Forepart encryption

Today, many systems use HTTPS to communicate over the Internet. HTTPS provides security by using a TLS connection, which ensures the authenticity, integrity, and privacy of requests and responses. To take HTTPS requests, the receiver requires a public–individual primal pair and an 10.509 certificate for server authentication from a Certificate Authorisation (CA). The key pair and certificate assistance protect a user's requests at the awarding layer (layer seven) by proving that the receiver owns the domain name for which requests are intended. The post-obit subsections hash out the components of user to GFE encryption, namely: TLS, BoringSSL, and Google'southward Document Authority. Recall that non all customer paths route via the GFE; notably, the GFE is used for traffic from a user to a Google Cloud service, and from a user to a customer application hosted on Google Deject that uses Google Cloud Load Balancing.

Transport Layer Security (TLS)

When a user sends a request to a Google Cloud service, we secure the data in transit; providing authentication, integrity, and encryption, using HTTPS with a document from a web (public) certificate authorisation. Whatever data the user sends to the GFE is encrypted in transit with Ship Layer Security (TLS) or QUIC. GFE negotiates a particular encryption protocol with the client depending on what the client is able to support. GFE negotiates more modern encryption protocols when possible.

GFE's scaled TLS encryption applies non only to terminate-user interactions with Google, information technology too facilitates API interactions with Google over TLS, including Google Deject. Additionally, our TLS encryption is used in Gmail to exchange email with external post servers (more detail in Require TLS in Gmail).

Google is an manufacture leader in both the adoption of TLS and the strengthening of its implementation. To this end, we have enabled, by default, many of the security features of TLS. For instance, since 2011 we have been using forrard secrecy in our TLS implementation. Forward secrecy makes sure the key that protects a connexion is not persisted, so an attacker that intercepts and reads one message cannot read previous messages.

BoringSSL

BoringSSL is a Google-maintained, open-source implementation of the TLS protocol, forked from OpenSSL, that is generally interface-uniform with OpenSSL. Google forked BoringSSL from OpenSSL to simplify OpenSSL, both for internal use and to better support the Chromium and Android Open Source Projects. BoringCrypto, the core of BoringSSL, has been validated to FIPS 140-two level ane.

TLS in the GFE is implemented with BoringSSL. Table ane shows the encryption protocols that GFE supports when communicating with clients.

Protocols	Authentication	Primal exchange	Encryption	Hash Functions
TLS 1.3^iv	RSA 2048	Curve25519	AES-128-GCM	SHA384
TLS i.2	ECDSA P-256	P-256 (NIST secp256r1)	AES-256-GCM	SHA256
TLS 1.1			AES-128-CBC	SHA1^viii
TLS 1.0⁵			AES-256-CBC	MD5⁹
QUIC⁶			ChaCha20-Poly1305
			3DES⁷

Tabular array i: Encryption Implemented in the Google Forepart for Google Cloud Services and Implemented in the BoringSSL Cryptographic Library

As part of TLS, a server must prove its identity to the user when it receives a connexion request. This identity verification is accomplished in the TLS protocol by having the server nowadays a document containing its claimed identity. The certificate contains both the server'due south DNS hostname and its public key. One time presented, the certificate is signed by an issuing Certificate Authorisation (CA) that is trusted by the user requesting the connection^ten. As a issue, users who request connections to the server merely need to trust the root CA. If the server wants to be accessed ubiquitously, the root CA needs to exist known to the client devices worldwide. Today, nigh browsers, and other TLS client implementations, each have their own gear up of root CAs that are configured as trusted in their "root shop".

Historically, Google operated its own issuing CA, which we used to sign certificates for Google domains. Nosotros did non, nevertheless, operate our own root CA. Today, our CA certificates are cross-signed by multiple root CAs which are ubiquitously distributed, including Symantec ("GeoTrust") and roots previously operated past GlobalSign ("GS Root R2" and "GS Root R4").

In June 2017, nosotros appear a transition to using Google-owned root CAs. Over time, nosotros plan to operate a ubiquitously distributed root CA which volition issue certificates for Google domains and for our customers.

Root key migration and fundamental rotation

Root CA keys are non inverse often, as migrating to a new root CA requires all browsers and devices to embed trust of that document, which takes a long time. Equally a result, even though Google now operates its own root CAs, nosotros will continue to rely on multiple tertiary-party root CAs for a transitional flow to account for legacy devices while nosotros migrate to our own.

Creating a new root CA requires a primal ceremony. At Google, the ceremony mandates that a minimum 3 of the 6 possible authorized individuals physically gather to use hardware keys that are stored in a safe. These individuals meet in a dedicated room, shielded from electromagnetic interference, with an air-gapped Hardware Security Module (HSM), to generate a set of keys and certificates. The dedicated room is in a secure location in Google data centers. Additional controls, such every bit physical security measures, cameras, and other human observers, ensure that the process goes every bit planned. If the ceremony is successful the generated certificate is identical to a sample certificate, except for the issuer name, public cardinal and signature. The resulting root CA document is and then submitted to browser and device root programs for inclusion. This process is designed to ensure that the privacy and security of the associated private keys are well understood and so the keys tin be relied upon for a decade or more.

Every bit described earlier, CAs utilize their private keys to sign certificates, and these certificates verify identities when initiating a TLS handshake as part of a user session. Server certificates are signed with intermediate CAs, the creation of which is like to the creation of a root CA. The intermediate CA's certificates are distributed as function of the TLS session then information technology'southward easier to migrate to a new intermediate CA. This method of distribution also enables the CA operator to go along the root CA key material in an offline state.

The security of a TLS session is dependent on how well the server'south key is protected. To farther mitigate the risk of key compromise, Google'due south TLS certificate lifetimes are express to approximately three months and the certificates are rotated approximately every ii weeks.

A client that has previously connected to a server can employ a private ticket cardinal^xi to resume a prior session with an abbreviated TLS handshake, making these tickets very valuable to an assaulter. Google rotates ticket keys at to the lowest degree once a day and expires the keys across all properties every 3 days. To larn more about session key ticket rotation, see Measuring the Security Damage of TLS Crypto Shortcuts.

Google Front to Application Front Ends

In some cases, equally discussed in How traffic gets routed, the user connects to a GFE inside of a different physical boundary than the desired service and the associated Application Forepart. When this occurs, the user's asking and whatever other layer seven protocol, such every bit HTTP, is either protected past TLS, or encapsulated in an RPC which is protected using Application Layer Ship Security (ALTS), discussed in Service-to-service authentication, integrity, and encryption. These RPCs are authenticated and encrypted.

For Google Cloud services, RPCs are protected using ALTS by default. For customer applications hosted on Google Deject, if traffic is routed via the Google Forepart Stop, for example if they are using the Google Cloud Load Balancer, traffic to the VM is protected using Google Deject'southward virtual network encryption, described in the next department.

Google Cloud's virtual network encryption and authentication

Encryption of private IP traffic inside the same VPC or beyond peered VPC networks within Google Cloud'southward virtual network is performed at the network layer.

We use the Advanced Encryption Standard (AES) in Galois/Counter Style (GCM) with a 128-bit central (AES-128-GCM) to implement encryption at the network layer. Each pair of communicating hosts establishes a session key via a control channel protected past ALTS for authenticated and encrypted communications. The session key is used to encrypt all VM-to-VM communication between those hosts, and session keys are rotated periodically.

At the network layer (layer 3), Google Deject's virtual network authenticates all traffic betwixt VMs. This authentication, achieved via security tokens, protects a compromised host from spoofing packets on the network.

During authentication, security tokens are encapsulated in a tunnel header which contains authentication information about the sender and receiver. The control plane¹² on the sending side sets the token, and the receiving host validates the token. Security tokens are pre-generated for every flow, and consist of a token key (containing the sender's information) and the host hole-and-corner. One cloak-and-dagger exists for every source-receiver pair of physical boundaries controlled by or on behalf of Google.

Figure four shows how token keys, host secrets, and security tokens are created.

The component parts of a security token can include a token key and a host secret, along with their dependencies.

Figure 4: Security Tokens

The physical boundary secret is a 128-scrap pseudorandom number, from which host secrets are derived past taking an HMAC-SHA1. The concrete purlieus hole-and-corner is negotiated by a handshake betwixt the network control planes of a pair of concrete boundaries and renegotiated every few hours. The security tokens used for individual VM-to-VM authentication, derived from these and other inputs, are HMACs, negotiated for a given sender and receiver pair.

Service-to-service authentication, integrity, and encryption

Within Google's infrastructure, at the application layer (layer 7), we utilize our Application Layer Transport Security (ALTS) for the authentication, integrity, and encryption of Google RPC calls from the GFE to a service, and from service to service.

ALTS uses service accounts for authentication. Each service that runs in Google's infrastructure runs as a service account identity with associated cryptographic credentials. When making or receiving RPCs from other services, a service uses its credentials to authenticate. ALTS verifies these credentials using an internal certificate authority.

Within a physical boundary controlled by or on behalf of Google, ALTS provides both authentication and integrity for RPCs in "authentication and integrity" mode. For traffic over the WAN exterior of concrete boundaries controlled past or on behalf of Google, ALTS enforces encryption for infrastructure RPC traffic automatically in "authentication, integrity, and privacy" fashion. Currently, all traffic to Google services, including Google Deject services, benefits from these same protections.

ALTS is besides used to encapsulate other layer 7 protocols, such as HTTP, in infrastructure RPC mechanisms for traffic moving from the Google Front Stop to the Awarding Front End. This protection isolates the awarding layer and removes whatsoever dependency on the network path's security.

Services can exist configured to accept and send ALTS communications only in "hallmark, integrity and privacy" way, even inside physical boundaries controlled by or on behalf of Google. Ane instance is Google'southward internal key management service, which stores and manages the encryption keys used to protect data stored at rest in Google'south infrastructure.

ALTS Protocol

ALTS has a secure handshake protocol like to mutual TLS. 2 services wishing to communicate using ALTS employ this handshake protocol to authenticate and negotiate communication parameters earlier sending any sensitive information. The protocol is a two-step procedure:

Step i:Handshake The client initiates an elliptic curve-Diffie Hellman (ECDH) handshake with the server using Curve25519. The customer and server each take certified ECDH public parameters every bit office of their certificate, which is used during a Diffie Hellman central exchange. The handshake results in a mutual traffic key that is available on the customer and the server. The peer identities from the certificates are surfaced to the application layer to use in authorization decisions.
Step 2: Record encryption Using the mutual traffic key from Pace one, data is transmitted from the client to the server securely. Encryption in ALTS is implemented using BoringSSL and other encryption libraries. Encryption is almost commonly AES-128-GCM while integrity is provided past AES-GCM's GMAC.

The following diagram shows the ALTS handshake in detail. In newer implementations, a process helper does the handshake; there are still some cases where this is done directly by the applications.

Client app interacts with a handshake service through a process helper, and with the server app through a key exchange.

Figure five: ALTS handshake

As described at the start of section Service-to-service hallmark, integrity, and encryption, ALTS uses service accounts for authentication, with each service that runs on Google's infrastructure running as a service identity with associated cryptographic credentials. During the ALTS handshake, the procedure helper accesses the individual keys and corresponding certificates that each client-server pair uses in their communications. The private key and corresponding certificate (signed protocol buffer) have been provisioned for the service account identity of the service.

ALTS Certificates There are multiple kinds of ALTS document:

Machine certificates: provide an identity to cadre services on a specific machine. These are rotated approximately every 6 hours.
User certificates: provide an cease user identity for a Google engineer developing lawmaking. These are rotated approximately every 20 hours.
Borg job certificates: provide an identity to jobs running within Google's infrastructure. These are rotated approximately every 48 hours.

The root certification signing key is stored in Google's internal certificate authorization (CA), which is unrelated and independent of our external CA.

Encryption in ALTS

Encryption in ALTS can be implemented using a diverseness of algorithms, depending on the machines that are used. For example, most services use AES-128-GCM^xiii. More information on ALTS encryption can be institute in Table 2.

Machines	Message encryption used
About common	AES-128-GCM
Sandy Bridge or older	AES-128-VCM	Uses a VMAC instead of a GMAC and is slightly more efficient on these older machines.

Table 2: Encryption in ALTS

Nearly Google services use ALTS, or RPC encapsulation that uses ALTS. In cases where ALTS is not used, other protections are employed. For example:

Some low-level machine management and bootstrapping services apply SSH
Some low-level infrastructure logging services TLS or Datagram TLS (DTLS)^fourteen
Some services that use not-TCP transports utilize other cryptographic protocols or network level protections when inside concrete boundaries controlled by or on behalf of Google

Communications betwixt VMs and Google Deject Platform services employ TLS to communicate with the Google Front End, not ALTS. We depict these communications in Virtual machine to Google Forepart encryption.

Virtual car to Google Front end End encryption

VM to GFE traffic uses external IPs to accomplish Google services, but yous can configure Private Google Access feature to use Google-only IP addresses for the requests.

As with requests from an external user to Google, we support TLS traffic by default from a VM to the GFE. The connection happens in the same way as whatever other external connection. For more information on TLS, see Transport Layer Security (TLS).

User-configurable options for encryption in transit

Encryption in Transit described the default protections that Google has in place for data in transit. This section describes the configurations our users can make to these default protections.

On-premises data middle to Google Cloud

TLS using GCLB external load balancers

If your deject service uses a Google HTTPS or SSL Proxy external load balancer, so GFE terminates the TLS connections from your users using SSL certificates that you lot provision and control. More data on customizing your certificate can be found in our SSL Certificates documentation.

IPSec tunnel using Deject VPN

Every bit a Google Deject customer, you can utilise Google Cloud VPN to deeply connect your on-premises network to your Google Cloud VPC network through an IPSec VPN connection (layer three). Traffic traveling between the two networks is encrypted by 1 VPN gateway and decrypted past the other VPN gateway. This protects your data over the Internet. In add-on, you can set up multiple, load-balanced tunnels through multiple VPN gateways. The Google Cloud VPN protects your data in the following means:

Packets from your VMs to the Cloud VPN gateway remain inside the VPC network. These packets are authenticated and encrypted by Google Deject's virtual network.
Packets from the Deject VPN to your on-premises VPN are authenticated and encrypted using an IPSec tunnel.
Packets from your on-premises VPN to your on-premises hosts are protected past whatever controls yous have in place on your network.

To set a VPN, create a Deject VPN gateway and tunnel on the hosted service's VPC network, then permit traffic between the networks. You likewise have the option of setting up a VPN betwixt two VPC networks.

You tin farther customize your network by specifying the Internet Key Exchange¹⁵ (IKE) version for your VPN tunnel. There are two versions of IKE to cull from, IKEv1 and IKEv2, each of which supports different ciphers. If you specify IKEv1, Google encrypts the packets using AES-128-CBC and provides integrity through SHA-i HMAC¹⁶. For IKEv2, a variety of ciphers are available and supported. In all cases, Google Cloud VPN will negotiate the most secure mutual protocol the peer devices support. Full instructions on setting upward a VPN tin can be found in our documentation Choosing a VPN Routing Option.

An alternative to a Cloud VPN (IPSec) tunnel is Google Cloud Dedicated Interconnect. Dedicated Interconnect provides direct concrete connections and private IP communication betwixt your on-premises network and your VPC network. The data traveling over Dedicated or Partner interconnect is Non encrypted by default and should exist secured at the application layer, using TLS for example. MACsec (layer 2 protection) is not currently supported.

User to Google Forepart End

Managed SSL certificates: Gratuitous and automated certificates

When building an application on Google Deject, you tin can leverage GFE's back up of TLS by configuring the SSL certificate y'all utilise. For example, you tin can have the TLS session terminate in your application. This termination is different to the TLS termination described in TLS using GCLB external load balancers.

Google also provides costless and automated SSL certificates in both the Firebase Hosting and Google App Engine custom domains. These certificates are only available for Google-hosted properties. With Google App Engine custom domains, you can as well provide your own SSL certificates and employ an HTTP Strict Transport Security (HSTS) header.

Once your domain is pointed at Google'due south infrastructure, we asking and obtain a document for that domain to let secure communications. We manage the TLS server individual keys, which are either 2048-bit RSA or secp256r1 ECC, and renew certificates on behalf of our customers.

Require TLS in Gmail

As discussed in Transport Layer Security, Gmail uses TLS by default. Gmail records and displays whether the last hop an email made was over a TLS session¹⁷. When a Gmail user exchanges an email with another Gmail user, the emails are protected by TLS, or in some cases, sent directly inside the application. In these cases, the RPCs used by the Gmail application are protected with ALTS as described in Service-to-service hallmark, integrity, and encryption. For incoming messages from other email providers, Gmail does not enforce TLS. Gmail administrators can configure Gmail to require a secure TLS connection for all incoming and approachable emails.

Gmail S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is an email security standard that provides authentication, integrity, and encryption. The implementation of the Southward/MIME standard mandates that certificates associated with users sending emails are hosted in a public CA.

Every bit an administrator, you lot can configure Gmail to enable South/MIME for outgoing emails, gear up policies for content and attachment compliance, and create routing rules for incoming and outgoing emails. Once configured, y'all must upload users' public certificates to Gmail using the Gmail API. For users external to Gmail, an initial S/MIME-signed message must be exchanged to set S/MIME as the default.

Service-to-service and VM-to-VM encryption

Istio is an open-source service mesh developed by Google, IBM, Lyft, and others, to simplify service discovery and connectivity. Istio authentication provides automated encryption of data in transit between services, and direction of associated keys and certificates. Istio tin be used in Google Kubernetes Engine and Google Compute Engine.

If you want to implement mutual authentication and encryption for workloads, you can use istio auth. Specifically, for a workload in Kubernetes, Istio auth allows a cluster-level CA to generate and distribute certificates, which are then used for pod-to-pod common Transport Layer Security (mTLS).

How Google helps the Internet encrypt data in transit

Encryption in Transit by Default and User-configurable options for encryption in transit explained the default and customizable protections Google Cloud has in place for customer data in transit. In improver, Google has several open-source projects and other efforts that encourage the use of encryption in transit and information security on the Internet at big.

Document Transparency

As discussed in User to Google Front end End encryption, to offer HTTPS, a site must apply first for a certificate from a trusted web (public) Certificate Authorization (CA). The Document Potency is responsible for verifying that the applicant is authorized by the domain holder, every bit well as ensuring that any other information included in the document is accurate.This document is then presented to the browser to authenticate the site the user is trying to admission. In order to ensure HTTPS is properly authenticated, it's important to ensure that CAs only outcome certificates that the domain holder has authorized.

Document Transparency (CT) is an try that Google launched in March 2013 to provide a way for site operators and domain holders to notice if a CA has issued whatsoever unauthorized or incorrect certificates. It works by providing a mechanism for domain holders, CAs, and the public to log the trusted certificates they encounter or, in the case of CAs, the certificates they issue, to publicly verifiable, append-simply, tamper-proof logs. The certificates in these logs can be examined by anyone to ensure the data is right, accurate, and authorized.

The commencement version of Document Transparency was specified in an IETF experimental RFC, RFC 6962. During the development of Certificate Transparency, Google open-sourced a number of tools, including an open up-source log server that can record certificates, as well as tools to create Document Transparency logs. In addition, Google Chrome requires that some certificates must be publicly disclosed, such equally for Extended Validation (EV) certificates or certificates issued from CAs that have improperly issued certificates in the past. From 2018, Chrome will require that all new publicly trusted certificates be disclosed.

As a site operator, yous can apply Certificate Transparency to observe if unauthorized certificates accept been issued for your website. A number of gratuitous tools exist to brand this easy to practise, such as Google's Certificate Transparency Report, Certificate Search, or tools from Facebook. Even if you don't use Document Transparency, a number of browsers now examine Certificate Transparency regularly to ensure that the CAs your users trust to admission your website are adhering to industry requirements and best practices, reducing the risk of fraudulent certificates beingness issued.

Increasing the use of HTTPS

As described in User to Google Front Terminate encryption, nosotros work hard to make certain that our sites and services provide modern HTTPS by default. Our goal is to achieve 100% encryption across our products and services. To this stop, we publish an annual HTTPS Transparency Report that tracks our progress towards our goal for all backdrop, including Google Deject. We continue to work through the technical barriers that go far difficult to support encryption in some of our products, such as solutions for browsers or other clients that do not support HTTP Strict Send Security (HSTS)¹⁸. We utilise HSTS for some of our sites, including the google.com homepage, to let users to connect to a server merely over HTTPS.

We know that the residuum of the Internet is working on moving to HTTPS. We try to facilitate this movement in the following means:

We provide developers with communication on why HTTPS matters, how to enable HTTPS, and all-time practices when implementing HTTPS
We have created tools in Chrome similar the Security panel in DevTools to assistance developers assess the HTTPS status of their site(south)
We financially back up the Let's Encrypt initiative that allows anyone to obtain a free certificate for their website. Google representatives sit down on the technical advisory board of Let's Encrypt'due south parent system, Internet Security Inquiry Group

In 2016, we began publishing metrics on "HTTPS usage on the Net" for the Top 100 non-Google sites on the Internet. With these metrics, we aim to increase sensation and help make the Internet a safer identify for all users. In October 2017, Chrome formally renewed its financial back up of Let's Encrypt as a Platinum sponsor.

Increasing the use of secure SMTP: Gmail indicators

Most email is exchanged using the Unproblematic Mail Transfer Protocol (SMTP) which, by default, sends electronic mail without using encryption. To encrypt an email, the mail service provider must implement security controls like TLS.

Every bit discussed in User to Google Front End encryption, Gmail uses TLS by default. In addition, Require TLS in Gmail describes how Gmail administrators can enforce the utilise of TLS protection for incoming and outgoing emails. Like Google'southward efforts with HTTPS transparency, Gmail provides data on TLS use for incoming emails to Gmail. This information is presented in our Safer Email Transparency Report.

Google, in partnership with the IETF and other manufacture key players, is leading the evolution of SMTP STS. SMTP STS is like HSTS for HTTPS, forcing the utilize of SMTP over only encrypted channels.

Chrome APIs

In February 2015, Chrome announced that powerful new features volition be available only to secure origins¹⁹. Such features include the handling of private information and access to sensors on a user'south device. Starting with geolocation in Chrome 50, we began deprecating these features for insecure origins.

Ongoing Innovation in Encryption in Transit

Chrome Security User Experience

Google Chrome is an industry leader in leveraging its UI to display security information in means that let users to quickly understand the safety of their connection to a site. With this information, users tin make informed decisions near when and how they share their data. Chrome conducts all-encompassing user inquiry, the results of which are shared in peer-reviewed papers.

To help further protect its users, Chrome has appear that by the terminate of 2017, information technology will mark all HTTP connections equally non-secure. Starting with Chrome 56, by default, users will come across a alert if an HTTP page includes a form with password or credit carte fields. With Chrome 62, a warning volition be shown when a user enters in information on an HTTP folio, and for all HTTP pages visited in Incognito mode. Eventually, Chrome volition show a warning for all pages that are served over HTTP.

To see how particular configurations are displayed to users in Chrome, you tin employ the BadSSL tool.

Key Transparency

A significant deterrent to the widespread adoption of message encryption is the difficulty of public central commutation: how can I reliably find the public key for a new user with which I am communicating? To help solve this issue, in January 2017, Google announced Key Transparency. This is an open framework that provides a generic, secure, and auditable ways to distribute public keys. The framework removes the need for users to perform transmission key verification. Key Transparency is primarily targeted at the distribution of users' public keys in communications, for example, E2E and OpenPGP e-mail encryption. Fundamental Transparency's blueprint is a new approach to key recovery and distribution and is based on insights gained from Certificate Transparency and CONIKS.

Key Transparency'due south development is open-source and it is implemented using a large-scale Merkle tree. Key Transparency Verification allows business relationship owners to run across what keys have been associated with their accounts and how long an account has been active and stable. The long-term goal of Google's Key Transparency piece of work is to enable anyone to run a Key Transparency server and go far easy to integrate into whatsoever number of applications.

Post-quantum cryptography

Google plans to remain the manufacture leader in encryption in transit. To this end, we have started work in the area of post-breakthrough cryptography. This type of cryptography allows us to supervene upon existing crypto primitives, that are vulnerable to efficient quantum attacks, with mail service-quantum candidates that are believed to exist more than robust. In July 2016 nosotros announced that nosotros had conducted an experiment on the feasibility of deploying such an algorithm by using the New Promise mail-breakthrough crypto algorithm in the developer version of Chrome. In improver to this work, researchers at Google have published papers on other practical post-quantum key-exchange protocols.

Appendix

Read more about Google Cloud Security, including our Infrastructure Security Design Overview; as well equally Google Cloud compliance, including the public SOC 3 audit report.