Data on backup media
Google also encrypts all data stored on backup media. Backup media, as noted, are used as a recovery
mechanism if there is a failure or corruption of the disk data and data needs to be restored. This means
that backup media are accessed much less frequently than disks. Each medium contains one or more
files, and each medium is protected from tampering with its own unique 256-bit secret. At backup time, a
random seed is created for the medium, and the KMS is asked to encrypt the per-medium secret with a
key known only to the KMS. The resulting per-medium secret is unique, and is only stored in encrypted
form. This secret is used to prevent any modification of data in backups.
The decryption key for the per-medium secret is known only to the KMS and never leaves it. In addition,
only the backup service has permission to ask the KMS to decrypt a per-medium secret. This provides a
double layer of access control: (1) only authorized personnel and services may read seeds from the
backup system’s database, and (2) a further authorization check is required to use such a seed to ask
the KMS to decrypt a per-medium secret. This provides a further protection against modification of data
on a backup medium.
In addition, the backup media ciphertext contains no identifiable information about what is on that
medium: all such information is contained in the encrypted files. An individual who steals a medium with
the intent of determining what data is stored on it will be unable to do so.
Finally, the backup system can also back up encrypted files for which it cannot read the plaintext. For
such files, it backs up the ciphertext and the wrapped key. At restore time, both are restored, again
without the backup system ever seeing the plaintext.
Encryption of data in transit
As we’ve shown, Google Workspace encrypts customer data stored at rest on both disks and backup
media. But we also want to protect your information while it’s en route from one machine to another data
center, ensuring these data transmissions would still be protected should they be intercepted. Data in
transit may be traveling over the Internet between the customer and Google or moving within Google as
it shifts from one data center to another.
Data traveling over the Internet
When you use a Google service, your information travels over the Internet between your browser,
Google’s servers, and, sometimes, non-Google users you are communicating with. In these scenarios,
encryption helps prevent attackers eavesdropping on internet connections from accessing sensitive
content such as your credentials, emails and other personal data.