Encryption at rest

BigQuery automatically encrypts all data before it is written to disk. The data is automatically decrypted when read by an authorized user. By default, Google manages the key encryption keys used to protect your data. You can also use customer-managed encryption keys, and encrypt individual values within a table.

Default encryption at rest

By default, Google manages the cryptographic keys on your behalf using the same hardened key management systems that we use for our own encrypted data. These systems including strict key access controls and auditing. Each BigQuery object's data and metadata is encrypted under the Advanced Encryption Standard (AES).

Customer-managed encryption keys

If you want to manage the key encryption keys used for your data at rest, instead of having Google manage the keys, use Cloud Key Management Service to manage your keys. This scenario is known as customer-managed encryption keys (CMEK). For more information about this feature, see Protecting data with Cloud KMS keys.

Encryption of individual values in a table

If you want to encrypt individual values within a BigQuery table, use the Authenticated Encryption with Associated Data (AEAD) encryption functions. If you want to keep data for all of your own customers in a common table, use AEAD functions to encrypt each customers' data using a different key. The AEAD encryption functions are based on AES. For more information, see AEAD Encryption Concepts in GoogleSQL.

Client-side encryption

Client-side encryption is separate from BigQuery encryption at rest. If you choose to use client-side encryption, you are responsible for the client-side keys and cryptographic operations. You would encrypt data before writing it to BigQuery. In this case, your data is encrypted twice, first with your keys and then with Google's keys. Similarly, data read from BigQuery is decrypted twice, first with Google's keys and then with your keys.

Data in transit

To protect your data as it travels over the Internet during read and write operations, Google Cloud uses Transport Layer Security (TLS). For more information, see Encryption in transit in Google Cloud.

Within Google data centers, your data is encrypted when it is transferred between machines.

What's next

For more information about encryption at rest for BigQuery and other Google Cloud products, see Encryption at rest in Google Cloud.