Two new Google Cloud encryption tools will let users “deny Google the ability to decrypt your data for any reason” – and let customers create, use and store their own encryption keys outside of GCP’s infrastructure.

(Azure lets customers “bring your own key”, or BYOK, but it must be stored in Azure Key Vault. To use an Hardware Security Module-protected key, customers have to fork out for a premium service tier. With AWS, BYOK is also possible, but storage is via AWS’s key management service).

The external key manager programme and complementary “key access justifications” toolkit are coming to beta and alpha releases “soon” GCP said, without naming a specific date – suggesting work is still ongoing to finesse the offering; which will initially just be available for two GCP services.

The New Google Cloud Encryption Tools

External Key Manager

The first of the two is an external key manager offering, dubbed – unsurprisingly – “External Key Manager”.

This lets users encrypt data in the cloud provider’s BigQuery and Compute Engine, with encryption keys stored and managed in a third-party key management system deployed outside Google’s infrastructure.

GCP is teaming up with five key management vendors to launch the offering: EquinixFortanixIonicThales and Unbound, it said.

Read this: This Old Brewery Hides Three Data Centres, 90 ISPs and 14 Generators: We Paid a Visit to Learn More

The launch comes as many cloud users remain sceptical about the security of cloud services and indeed, of the cloud providers themselves: co-location data centres like Interxion and Equinix typically already provide “key guardian” services – hosted Hardware Security Module (HSM) units so customers can manage their cryptographic keys on-site – and facilitating tighter integrations with cloud-hosted data or infrastructure is a logical next step.

Key Access Justifications

The second new offering, Key Access Justifications provides a “detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set.”

Key Access Justifications is coming “soon” to alpha for BigQuery, and Compute Engine/Persistent Disk and covers the transition from data-at-rest to data-in-use, GCP said, with early adopters able to sign up here.

The company has promised further technical details and Computer Business Review will update this piece when we see them.

BYOK and increasingly customisable encryption offerings are increasingly popular and both SaaS and IaaS vendors are racing to provide more offerings.

Slack in March announced that it would let customers bring their own encryption keys, while MongoDB earlier this year trumpeted its new “Field Level Encryption” that lets users encrypt specific database fields with their own key, whilst allowing application code to run unmodified for most database read and write operations so devs don’t need to modify their query code.

Read this: Field Level Encryption: A Database Security Game-Changer?