Objective: Implement an encryption at-rest strategy that balances key management complexity and control for sensitive and non-sensitive data, ensuring FIPS 140-2 L1 compliance.
Solution: Use Google default encryption for non-sensitive data and Cloud Key Management Service (KMS) for sensitive data.
Steps:
Step 1: Store non-sensitive data using Google Cloud’s default encryption, which automatically encrypts data at rest without additional configuration.
Step 2: For sensitive data, use Cloud KMS to create and manage encryption keys.
Step 3: Configure key rotation policies for the keys managed by Cloud KMS to meet compliance requirements.
Step 4: Ensure that all data encryption keys used by Cloud KMS comply with FIPS 140-2 Level 1 standards.
By using Google default encryption for non-sensitive data and Cloud KMS for sensitive data, you can manage encryption efficiently while maintaining control over key residency and rotation for sensitive data.
[References:, Google Cloud Default Encryption, Cloud Key Management Service, FIPS 140-2 Compliance, , , , , ]
Submit