Google adds server-side encryption to cloud storage

Google, citing customer demand, has added server-side encryption to its growing cloud storage product, according to the Google Cloud Platform blog on Thursday. Data is automatically encrypted before it writes to disk and is likewise automatically decrypted when accessed by an authorized user, Google said.
Here’s the gist:

“Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner. These keys are additionally encrypted by one of a regularly rotated set of master keys. Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

The new (free) service is now being applied to all new data written to Google cloud storage and to existing objects when overwritten. Older objects will be encrypted going forward.
Google started testing server-side encryption last month. Given the hoopla around government data scooping related to the PRISM program, and concern that U.S. cloud vendors have let the NSA gain access to customer data, encryption is becoming a bigger deal. It’s clear that these vendors are feeling the heat from these disclosures — Vint Cerf, the internet pioneer who is now with Google, was among a group of industry poohbahs who met with President Obama ostensibly to discuss their concerns about PRISM’s impact on their businesses last week.

Amazon Web Services (s amzn) has offered 256-bit Advanced Encryption Standard (AES-256) on its S3 storage service since late 2011..

Here’s what I don’t get — and please comment below — if the vendor holds and manages the encryption keys, doesn’t that mean it could hand them over to the government as well the data they protect? (Be nice, I’m no security expert.)
Update: A Google spokeswoman wrote in to say:

“We don’t provide our encryption keys to any government. We believe we’re an industry leader in providing strong encryption, along with other security safeguards and tools.
In general, regarding government requests – We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process. When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”

Given the comments on this and related stories, the problem is that users don’t necessarily buy what either the government or vendors are saying regarding data sharing.
This story was upated at 11:57 a.m. PDT August 15 with Google comment.