International Association
for Cryptologic Research

In this talk we will present challenges Google faces with key management, and how we built a system to instrument our cryptographic libraries to gain extensive observability into how our services use cryptographic key material in practice. This allows us to enforce best practices like key rotation, deleting old keys and respecting data limits, across global large scale distributed systems. Within Google, our tooling covers thousands of internal teams with diverse use cases, improving both security and reliability on a large scale. This talk also shows how we deployed post-quantum cryptography to Google's internal transport layer security protocol (ALTS), and made it the default option. We will talk about the challenges, both technical and organisational when making such a large-scale change to a global infrastructure as run by Google. We will share insights on the performance impact and discuss our design decisions and trade-offs.