Data encryption and encryption keys

This topic provides information about encryption of data on Google Cloud and about encryption keys.

Encryption in transit and at rest

Google Cloud enables encryption in transit by default to encrypt requests before transmission and to protect the raw data using the Transport Layer Security (TLS) protocol.

Once data is transferred to Google Cloud to be stored, Google Cloud applies encryption at rest by default. To gain more control over how data is encrypted at rest, Google Cloud customers can use Cloud Key Management Service to generate, use, rotate, and destroy encryption keys according to their own policies. These keys are called customer-managed encryption keys (CMEK).

For certain compliance regimes, Assured Workloads can deploy a CMEK project alongside your resources project during workload environment creation.

As an alternative to CMEK, Google-managed encryption keys, provided by default, are FIPS-140-2 compliant and are able to support FedRAMP Moderate compliance. Customers can delete the CMEK project and rely solely on Google-managed keys. We recommend, however, that you decide whether to use CMEK keys before you create your Assured Workloads environment as deletion of existing in-use CMEK can result in inability to access or recover data.

Customer-managed encryption keys (CMEK)

If you need more control over the keys used to encrypt data at rest within a Google Cloud project than what Google Cloud's default encryption provides, Google Cloud services offer the ability to protect data by using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK).

To learn which aspects of the lifecycle and management of your keys that CMEK provides, see Customer-managed encryption keys (CMEK) in Cloud KMS documentation. For a tutorial that guides you through managing keys and encrypted data using Cloud KMS, see the quickstart or codelab.

What's next