Storing Sensitive Files on Google Cloud Storage Question

K

koeks525

Executive Member
Joined
Jul 14, 2012
Messages
6,013
Reaction score
1,199
Location
Canada
Hi Everyone

Been thinking about this for a bit. If you have a use-case, where you need to store sensitive files (example: statements, medical records, etc.) for your application, is there a need to do any extra "legwork" before sending the file over to one's Google Cloud Storage bucket? This extra legwork being encrypting the file on your server before sending it over, or supplying your own encryption keys before sending the file over to Google?

I been looking around and it seems like Google does encrypt files by default, and they do provide mechanisms for supplying your own encryption keys: Data encryption options | Cloud Storage | Google Cloud

EDIT: This makes me think I could perform client-side encryption before sending the files over to Google Cloud Storage. I also wonder whether this might be too overkill? It also makes me think one would need to zone-in on the service account used to access Google Services (i.e.: ensure the account only has the minimum required roles/permissions to do what it needs to do). Is this thinking correct?

Has anyone here had to store sensitive files/documents on any cloud storage provider? If so, how did you handle storing the file(s) in a secure manner?
 
Last edited:
Using any default encryption provided by Cloud storage means anyone with enough access to the storage medium, will have enough access to download the data unencrypted.. so right there default encryption is out, if you have any concerns around who has access or about access credentials potentially being leaked/stolen..

Client side encryption is more secure, provided you keep encryption keys stored safely..
 
I'm not sure about security as it should be encrypted. But I guess once they in your account they can do whatever. Also I'm pretty sure Google themselves is enjoying the data.... anonymously of course. Could always zip it. Or use an encrypted folder.

Just make sure you do have an offline or backup somewhere else aswell.
 
RedViking said:
I'm not sure about security as it should be encrypted. But I guess once they in your account they can do whatever. Also I'm pretty sure Google themselves is enjoying the data.... anonymously of course. Could always zip it. Or use an encrypted folder.

Just make sure you do have an offline or backup somewhere else aswell.
Click to expand...
Welcome back :)
 
koeks525 said:
Hi Everyone

Been thinking about this for a bit. If you have a use-case, where you need to store sensitive files (example: statements, medical records, etc.) for your application, is there a need to do any extra "legwork" before sending the file over to one's Google Cloud Storage bucket? This extra legwork being encrypting the file on your server before sending it over, or supplying your own encryption keys before sending the file over to Google?

I been looking around and it seems like Google does encrypt files by default, and they do provide mechanisms for supplying your own encryption keys: Data encryption options | Cloud Storage | Google Cloud

EDIT: This makes me think I could perform client-side encryption before sending the files over to Google Cloud Storage. I also wonder whether this might be too overkill? It also makes me think one would need to zone-in on the service account used to access Google Services (i.e.: ensure the account only has the minimum required roles/permissions to do what it needs to do). Is this thinking correct?

Has anyone here had to store sensitive files/documents on any cloud storage provider? If so, how did you handle storing the file(s) in a secure manner?
Click to expand...
PornHub is better for all the porn
 
koeks525 said:
Hi Everyone

Been thinking about this for a bit. If you have a use-case, where you need to store sensitive files (example: statements, medical records, etc.) for your application, is there a need to do any extra "legwork" before sending the file over to one's Google Cloud Storage bucket? This extra legwork being encrypting the file on your server before sending it over, or supplying your own encryption keys before sending the file over to Google?

I been looking around and it seems like Google does encrypt files by default, and they do provide mechanisms for supplying your own encryption keys: Data encryption options | Cloud Storage | Google Cloud

EDIT: This makes me think I could perform client-side encryption before sending the files over to Google Cloud Storage. I also wonder whether this might be too overkill? It also makes me think one would need to zone-in on the service account used to access Google Services (i.e.: ensure the account only has the minimum required roles/permissions to do what it needs to do). Is this thinking correct?

Has anyone here had to store sensitive files/documents on any cloud storage provider? If so, how did you handle storing the file(s) in a secure manner?
Click to expand...

Zip file with a password will keep your stuff somewhat okay.
You can always go full client-side encryption but might be overkill IMO
 
I organised a backup system for a bookshop. The files were ZIPped using a password relating to the date and this file uploaded to Google

it's worked fine for 13 years. It's been necessary to retrieve older files a few times and it always works well

Not really expensive
 
koeks525 said:
Hi Everyone

Been thinking about this for a bit. If you have a use-case, where you need to store sensitive files (example: statements, medical records, etc.) for your application, is there a need to do any extra "legwork" before sending the file over to one's Google Cloud Storage bucket? This extra legwork being encrypting the file on your server before sending it over, or supplying your own encryption keys before sending the file over to Google?

I been looking around and it seems like Google does encrypt files by default, and they do provide mechanisms for supplying your own encryption keys: Data encryption options | Cloud Storage | Google Cloud

EDIT: This makes me think I could perform client-side encryption before sending the files over to Google Cloud Storage. I also wonder whether this might be too overkill? It also makes me think one would need to zone-in on the service account used to access Google Services (i.e.: ensure the account only has the minimum required roles/permissions to do what it needs to do). Is this thinking correct?

Has anyone here had to store sensitive files/documents on any cloud storage provider? If so, how did you handle storing the file(s) in a secure manner?
Click to expand...

The bolded bit should ALWAYS be applied. It's a cornerstone of security - the principle of least privilege.

This why IaC (Infrastructure as code) is pretty important IMO - it makes this much easier to maintain
 
Thanks everyone for the answers. I know my question was a simple question, but it did have me thinking for a bit. Yes, will also make sure my Google Service Account only has the minimum required roles and permissions.
WAslayer said:
Using any default encryption provided by Cloud storage means anyone with enough access to the storage medium, will have enough access to download the data unencrypted.. so right there default encryption is out, if you have any concerns around who has access or about access credentials potentially being leaked/stolen..

Client side encryption is more secure, provided you keep encryption keys stored safely..
Click to expand...
Thanks! Will proceed with using client-side encryption to encrypt the file before sending it my Google Cloud Storage bucket
 
There are multiple levels of encryption, both at rest and in transit, by default in GCP, starting at the hardware level and going up. The issue is that the keys are controlled by GCP, who can access you data in a "break glass" situation. This may be acceptable for some, but not all, for example, if your data contains personal data of data subjects in Europe, it is inadequate.
It is best to always use your own encryption, at rest and in transit, where you control access to the keys.
 
Cryptomator

As said above, also keep a separate backup. Preferably one which is stored in your cupboard and away from threats of ransomware.
 
koeks525 said:
Thanks everyone for the answers. I know my question was a simple question, but it did have me thinking for a bit. Yes, will also make sure my Google Service Account only has the minimum required roles and permissions.

Thanks! Will proceed with using client-side encryption to encrypt the file before sending it my Google Cloud Storage bucket
Click to expand...
Use PgP with your own keys - can be automated on both Windows and Linux.

Whatever you do, make sure Google drive isn't your only backup.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X