Data encryption and encryption keys

This topic provides information about encryption of data on Google Cloud and about encryption keys.

Encryption in transit and at rest

Google Cloud enables encryption in transit by default to encrypt requests before transmission and to protect the raw data using the Transport Layer Security (TLS) protocol.

Once data is transferred to Google Cloud to be stored, Google Cloud applies encryption at rest by default. To gain more control over how data is encrypted at rest, Google Cloud customers can use Cloud Key Management Service to generate, use, rotate, and destroy encryption keys according to their own policies. These keys are called customer-managed encryption keys (CMEK).

Though Assured Workloads will deploy a CMEK project during workload environment creation, CMEK is not required to support FedRAMP Moderate compliance. Google's managed encryption keys provided by default are FIPS-140-2 compliant and are able to support FedRAMP Moderate Compliance. Customers can delete the CMEK project and rely solely on Google managed keys. This action should be taken when initially creating an Assured Workloads environment, as deletion of existing in-use CMEK can result in inability to access or recover data.

Customer-managed encryption keys (CMEK)

If you need more control over the keys used to encrypt data at rest within a Google Cloud project than what Google Cloud's default encryption provides, Google Cloud services offer the ability to protect data by using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK).

To learn which aspects of the lifecycle and management of your keys that CMEK provides, see Customer-managed encryption keys (CMEK) in Cloud KMS documentation. For a tutorial that guides you through managing keys and encrypted data using Cloud KMS, see the quickstart or codelab.

What's next