With GDPR (General Data Protection Regulation) going into effect tomorrow, I am wondering whether Google encrypts data in their Datastore indexes on GAE. I know that they encrypt data stored in entities but it isn't clear that they encrypt the data in indexes. I can't imagine that this is even possible given that queries would never be able to run on encrypted data. If the indexed data is not encrypted, would this not be considered to make GAE non-compliant with GDPR?
3 Answers
1
votes
I'm reasonably certain they don't actually. The HIPAA compliance guide specifically instructs you to encrypt PHI before using it as an index key. Here's the full text:
When creating or configuring indexes in Google Cloud Datastore, encrypt any PHI, security credentials, or other sensitive data, before using it as the entity key, indexed property key, or indexed property value for the index. See the Cloud Datastore documentation for information on creating and/or configuring indexes.
I'm assuming this means you need to do your own encryption here, otherwise I'm not sure why they'd mention it. And no, I don't know how a meaningful database index can be built from encrypted data.
0
votes
Google encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google, it also has 7 layer type of data encryption. More information about Encryption in Transit can be found here. There's also the Server-Side Encryption in Datastore.
-1
votes
All data in Cloud Datastore is encrypted at rest as documented at https://cloud.google.com/datastore/docs/concepts/encryption-at-rest .
