Google Compute Engine now lets you bring your own encryption keys, free of charge

Google today announced that its cloud-infrastructure service, Google Compute Engine, now permits users to encrypt data with their own keys.

The feature, officially named Customer-Supplied Encryption Keys, is available for free in beta in Canada, France, Germany, Japan Taiwan, the United Kingdom, and the U.S.

“You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys,” Google product manager Leonard Law wrote in a blog post today. “Google does not retain your keys, and only holds them transiently in order to fulfill your request.”

Amazon Web Services, the biggest cloud infrastructure provider, introduced bring-your-own-key capability for its S3 storage service last year. Google’s announcement today is different in the sense that it’s enabling customers to use their own encryption keys for compute resources such as virtual machines.

Meanwhile, cloud providers offer full-featured key storage services. Microsoft’s Azure has Key Vault; Amazon has CloudHSM. Even cloud file syncing and sharing company Box earlier this year announced the Enterprise Key Management service.

Google isn’t advancing that far today. But it is giving current and prospective customers more options.

Update on August 1, 2016: This feature has now launched out of beta and is generally available, according to a blog post today from Google product managers Maya Kaczorowski and Eric Bahna. Documentation is here.