2 min

Tags in this article

Cloud Spanner, Google’s relational database, now supports the use of customer-managed encryption keys. This is necessary for certain customers to comply with local data laws.

By default, Cloud Spanner already encrypts data sent to and from Google’s database and also encrypts data at rest. For this, however, the company uses encryption keys that are managed by Google. However, the company says that customers in regulated industries such as financial services, healthcare, life sciences and telecoms must manage their own encryption keys to comply with legislation.

Customer-managed encryption keys

Therefore, Google has added Customer-managed encryption keys (CMEK) to Spanner. Customers can now use CMEK to manage their own encryption keys in Cloud Key Management (KMS). With their own keys, customers can meet the highest levels of security and compliance. The protection of database backups is also possible. There is also support for VPC Service Controls and certifications for ISO 27001, 27017, 27018, PCI DSS, SOC1, 2 and 3, HIPAA and FedRamp.

Access approval

Another new feature in Spanner is support for Access Approval. When this feature is enabled, support staff must first receive explicit permission from the data owner before accessing the data. This is in addition to the existing Access Transparency, where all the actions of Google employees in a database are logged. Access Approval will also give users an overview of the status of past permissions that were been given to Google employees.

Cloud Spanner

Cloud Spanner is the commercial counterpart to the relational database that the company itself uses for its consumer services. By default, the system uses SQL syntax and features with SLAs promising no more than an hour of downtime per year. The system already offered integration with Cloud KMS, with support for a handful of popular cryptographic protocols. Within Cloud KMS, cybersecurity teams can generate new keys, delete existing ones, and automatically generate new keys for sensitive applications as needed. The keys can be used to encrypt both the data in Cloud Spanner and its backups.


CMEK for Cloud Spanner is now available. A database with CMEK functionality is charged in the same way as other Spanner databases. However, there is a charge for using Cloud KMS when Spanner uses a key. Google expects the cost to be minimal. More information can be found in Google’s announcement.

Tip: Google Cloud receives certificates for use in the public sector