It makes little sense in this day and age to have encryption without also having one's own keys, and almost all the major cloud providers -- from Amazon to Microsoft -- have fallen line to provide BYOK (bring your own key) encryption.
The only straggler has been Google, which today added a beta preview of BYOK to Google Compute Engine. Google claims its solution covers more functionality and use cases, but that by itself won't put Google ahead of the curve.
Encrypt all the things
Customer-Supplied Encryption Keys, as outlined in a Google blog post, allows customers to generate and use their own encryption keys with Compute Engine. Data volumes, boot disks, and SSDs are all protected -- in short, "all forms of data at rest ... unlike many solutions," Google says.
There's a germ of truth in this statement. In Microsoft's Azure Rights Management BYOK program, keys brought there by the customer don't work with Exchange Online; only Microsoft-generated keys work for that service. That said, Microsoft has hinted this isn't a permanent state of affairs, although there's no timetable for when BYOK will work for Exchange Online.
Google also claims that no additional performance overhead is imposed by using a customer-supplied key, since it already uses at-rest encryption -- albeit with keys generated by Google. Swapping in a customer-generated key allegedly adds no performance penalty.
Missing keys remain
Also, Google charges no additional fees for its service. However this means little, since neither Azure nor Amazon charge extra for BYOK, at least when encrypting storage at rest rather than compute resources. (Google claims it is first to provide BYOK for compute.)
What's more, Azure and Amazon both offer a feature Google doesn't yet have in its portfolio: a cloud-based key management system. Azure offers Azure Key Vault, while Amazon has its Key Management Service.
A common narrative about encryption in the cloud is that it builds trust with those wary of storing their data on third-party turf. BYOK and at-rest encryption are not the only way to build that trust, though. Microsoft's Customer Lockbox for Office 365, for instance, uses a transparent, multistep process to permit Microsoft to access customer data when needed.
These features aren't substitutes for a BYOK program, but they address an aspect of customer wariness that doesn't typically come up, namely how data can be accessed, who has control over it, and so on. In the long run, such functions might be worth providing as standard cloud-platform features, alongside at-rest encryption, so cloud customers can leverage them for themselves or deliver them for others.
As a beta, Google's Customer-Supplied Encryption Keys comes plastered with warnings in the documentation: "This feature is not covered by any SLA or deprecation policy and may be subject to backward-incompatible changes." It's also currently curtailed by geography and a few technical limitations, such as only newly created persistent disks -- not existing ones -- can be encrypted with user keys.
[Addendum: Leonard Law, product manager, of Google Cloud Platform contacted us to further clarify that what Google offers is encryption for compute resources, rather than encryption for storage alone. The article has been edited to clarify this.]