How is encrypted on GCP at rest as of 2020?

While @gitlab-greg already answered conceptually, how all the storages are you encrypting?

I guess you have two kinds of Persistent Disk and Cloud Storage as persistent storage on GCP.

Per two kinds of storage,

  1. are you using Google-managed keys? or GitLab(company)-managed keys (via Cloud KMS), or company-supplied keys (meaning outside of GCP)?
  2. are you using GCM mode for these protocols unlike CTC or CTR?
  3. (if are you using Google-managed keys) is this 256-bit or 128-bit AES? (128-bit is enforced when using Standard Persistent Disk)

Hi @tnir, good questions!

Our Encryption at rest is using Google Cloud Platform’s (GCP) encryption at rest by default.

The AES 256 algorithm is being used and the encryption key is managed by GitLab and deployed through GCP Key management system. Also this key is set for auto rotation.

All data within GCP is encrypted in transit by default, utilizing TLS 1.2.

If you have any more specific questions we would be happy to help track down some answers


Thanks. How about within Cloudflare and between it and GCP?

Ping @gitlab-greg