How is gitlab.com encrypted on GCP at rest as of 2020?

tnir · June 12, 2020, 11:53pm

While @gitlab-greg already answered conceptually, how all the storages are you encrypting?

I guess you have two kinds of Persistent Disk and Cloud Storage as persistent storage on GCP.

Per two kinds of storage,

are you using Google-managed keys? or GitLab(company)-managed keys (via Cloud KMS), or company-supplied keys (meaning outside of GCP)?
are you using GCM mode for these protocols unlike CTC or CTR?
(if are you using Google-managed keys) is this 256-bit or 128-bit AES? (128-bit is enforced when using Standard Persistent Disk)

gitlab-greg · June 17, 2020, 11:36pm

Hi @tnir, good questions!

Our Encryption at rest is using Google Cloud Platform’s (GCP) encryption at rest by default.

The AES 256 algorithm is being used and the encryption key is managed by GitLab and deployed through GCP Key management system. Also this key is set for auto rotation.

All data within GCP is encrypted in transit by default, utilizing TLS 1.2.

If you have any more specific questions we would be happy to help track down some answers

tnir · June 19, 2020, 3:54pm

Thanks. How about within Cloudflare and between it and GCP?

tnir · July 2, 2020, 12:39pm

Ping @gitlab-greg