GoogleSQL for BigQuery supports Authenticated Encryption with Associated Data (AEAD)encryption.

This topic explains the concepts behind AEAD encryption in GoogleSQL.For a description of the different AEAD encryption functions thatGoogleSQL supports, seeAEAD encryption functions.

Purpose of AEAD encryption

BigQuery keeps your data safe by usingencryption at rest. BigQuery also provides support for customer managedencryption keys (CMEKs), which lets you encrypt tables using specific encryptionkeys. In some cases, however, you may want to encrypt individual values within atable.

For example, you want to keep data for all of your own customers in a commontable, and encrypt each of your customers' data using a different key. You havedata spread across multiple tables that you want to be able to"crypto-delete". Crypto-deletion, or crypto-shredding, is the process ofdeleting an encryption key to render unreadable any data encrypted using thatkey.

AEAD encryption functions allow you to create keysets that contain keys forencryption and decryption, use these keys to encrypt and decrypt individualvalues in a table, and rotate keys within a keyset.

Keysets

A keyset is a collection of cryptographic keys, one of which is the primarycryptographic key and the rest of which, if any, are secondary cryptographickeys. Each key encodes analgorithm for encryption or decryption; whether the keyis enabled, disabled, or destroyed; and, for non-destroyed keys, the key bytesthemselves. The primary cryptographic key determines how to encrypt inputplaintext. The primary cryptographic key can never be in a disabled state.Secondary cryptographic keys are only for decryption and can be either in anenabled or disabled state. A keyset can be used to decrypt any data that it wasused to encrypt.

The representation of a keyset in GoogleSQL is as a serializedgoogle.crypto.tink.Keysetprotocol buffer inBYTES.

Example

The following is an example of an AEAD keyset, represented as a JSON string,with three keys.

{"primaryKeyId":569259624,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiDPhTp5gIhfnDb6jfKOT4SmNoriIJc7ah8uRvrCpdNihA==","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":569259624,"outputPrefixType":"TINK"},{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"GiBp6aU2cFbVfTh9dTQ1F0fqM+sGHXc56RDPryjAnzTe2A==","keyMaterialType":"SYMMETRIC"},"status":"DISABLED","keyId":852264701,"outputPrefixType":"TINK"},{"status":"DESTROYED","keyId":237910588,"outputPrefixType":"TINK"}]}

In the above example, the primary cryptographic key has an ID of569259624 andis the first key listed in the JSON string. There are two secondarycryptographic keys, one with ID852264701 in a disabled state, and anotherwith ID237910588 in a destroyed state. When an AEAD encryption function usesthis keyset for encryption, the resulting ciphertext encodes the primarycryptographic key's ID of569259624.

When an AEAD function uses this keyset for decryption, the function chooses theappropriate key for decryption based on the key ID encoded in the ciphertext; inthe example above, attempting to decrypt using either key IDs852264701 or237910588 would result in an error, because key ID852264701 is disabled andID237910588 is destroyed. Restoring key ID852264701 to an enabled statewould render it usable for decryption.

The key type determines theencryption mode to use withthat key.

Encrypting plaintext more than once using the same keyset generally returnsdifferent ciphertext values due to differentinitialization vectors (IVs), which are chosen using thepseudo-random number generator provided by OpenSSL.

Wrapped keysets

If you need to securely manage a keyset or transmit it over anuntrusted channel, consider using a wrapped keyset. When you wrap araw keyset, this process encrypts the raw keyset using aCloud KMS key.

Wrapped keysets can encrypt and decrypt data without exposing the keyset data.While there might be other ways to restrict access to field-level data, wrappedkeysets provide a more secure mechanism for keyset management compared toraw keysets.

As withkeysets, wrapped keysets can, and should, be periodicallyrotated. Wrapped keysets are used inAEAD envelope encryption functions.

Here are some functions with wrapped keyset examples:

• KEYS.NEW_WRAPPED_KEYSET: Create a new wrapped keyset.
• KEYS.ROTATE_WRAPPED_KEYSET: Rotate a wrapped keyset.
• KEYS.REWRAP_KEYSET: Rewrap a wrapped keyset with newdata.
• KEYS.KEYSET_CHAIN: Get aTink keyset that isencrypted with aCloud KMS key.

Advanced Encryption Standard (AES)

AEAD encryption functions useAdvanced Encryption Standard (AES) encryption.AES encryption takes plaintext as input, along with a cryptographic key, andreturns an encrypted sequence of bytes as output. Thissequence of bytes can later be decrypted using the same key as was used toencrypt it. AES uses a block size of 16 bytes, meaning that the plaintext istreated as a sequence of 16-byte blocks. The ciphertext will contain aTink-specific prefix indicating the key used to perform the encryption. AESencryption supports multipleblock cipher modes.

Block cipher modes

Two block cipher modes supported by AEAD encryption functions are GCM and CBC.

GCM

Galois/Counter Mode (GCM)is a mode for AES encryption. The function numbers blocks sequentially, and thencombines this block number with an initialization vector (IV). An initializationvector is a random or pseudo-random value that forms the basis of therandomization of the plaintext data. Next, the function encrypts the combinedblock number and IV using AES. The function then performs a bitwiselogical exclusive or (XOR) operation on the result of the encryption and theplaintext to produce the ciphertext. GCM mode uses a cryptographic key of128 or 256 bits in length.

CBC mode

CBC "chains" blocks by XORing each block of plaintext with the previous blockof ciphertext prior to encrypting it. CBC mode uses a cryptographic key ofeither 128, 192, or 256 bits in length. CBC uses a 16-byte initializationvector as the initial block and XORs this block with the first plaintext block.

CBC mode isn't anAEAD scheme in the cryptographic senseas it doesn't provide data integrity; in other words, malicious modificationsto the encrypted data will not be detected, which compromises dataconfidentiality as well. CBC is therefore not recommended unless necessary forlegacy reasons.

Additional data

AEAD encryption functions support the use of anadditional_data argument,also known as associated data (AD) or additional authenticated data.A ciphertext can only be decrypted if the same additional data used to encryptis also provided to decrypt. The additional data can therefore be usedto bind the ciphertext to a context.

For example,additional_data could be the output ofCAST(customer_id AS STRING) when encrypting data for a particular customer.This ensures that when the data is decrypted, it was previously encrypted usingthe expectedcustomer_id. The sameadditional_data value is required fordecryption. For more information, seeRFC 5116.

Decryption

The output ofAEAD.ENCRYPT isciphertextBYTES. TheAEAD.DECRYPT_STRING orAEAD.DECRYPT_BYTES functions can decrypt thisciphertext. These functions must use akeyset thatcontains the key that was used for encryption. That key must be in an'ENABLED' state. They must also use the sameadditional_data as was used inencryption.

When the keyset is used for decryption, the appropriate key is chosen fordecryption based on the key ID encoded in the ciphertext.

The output ofAEAD.DECRYPT_STRING is a plaintextSTRING, whereas the output ofAEAD.DECRYPT_BYTES isplaintextBYTES.AEAD.DECRYPT_STRING can decryptciphertext that encodes a STRING value;AEAD.DECRYPT_BYTES can decrypt ciphertext that encodes aBYTES value. Using one of these functions todecrypt a ciphertext that encodes the wrong data type, such as usingAEAD.DECRYPT_STRING to decrypt ciphertext that encodes aBYTES value, causes undefined behavior and mayresult in an error.

Key rotation

The primary purpose of rotating encryption keys is to reduce the amount ofdata encrypted with any particular key, so that a potential compromised keywould allow an attacker access to less data.

Keyset rotation involves:

1. Creating a new primary cryptographic key within every keyset.
2. Decrypting and re-encrypting all encrypted data.

TheKEYS.ROTATE_KEYSET orKEYS.ROTATE_WRAPPED_KEYSETfunction performs the first step, by adding a new primary cryptographic key to akeyset and changing the old primary cryptographic key a secondary cryptographickey.

Cloud KMS keys

GoogleSQL supportsAEAD encryption functionswithCloud KMS keys to further secure your data. Thisadditional layer of protection encrypts your data encryption key (DEK) with akey encryption key (KEK). The KEK is a symmetric encryption keyset that isstored securely in the Cloud Key Management Service and managed usingCloud KMS permissions and roles.

At query execution time, use theKEYS.KEYSET_CHAINfunction to provide the KMS resource path of the KEK and the ciphertext from thewrapped DEK. BigQuery calls Cloud KMS to unwrap the DEK, and then usesthat key to decrypt the data in your query. The unwrapped version of the DEKis only stored in memory for the duration of the query, and then destroyed.

For more information, seeSQL column-level encryption with Cloud KMS keys.