Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Enkripsi dalam penyimpanan
Secara default, BigQuery mengenkripsi konten pelanggan dalam penyimpanan. BigQuery menangani enkripsi untuk Anda tanpa
tindakan tambahan dari Anda. Opsi ini disebut enkripsi default Google.
Enkripsi default Google
menggunakan sistem pengelolaan kunci yang telah melalui proses hardening yang sama dengan yang kami gunakan untuk data terenkripsi kami sendiri. Sistem ini mencakup pengauditan dan kontrol akses kunci yang ketat.
Data dan metadata setiap objek BigQuery dienkripsi menggunakan
Advanced
Encryption Standard (AES).
Jika ingin mengontrol kunci enkripsi, Anda dapat menggunakan kunci enkripsi yang dikelola pelanggan (CMEK) di Cloud KMS dengan layanan yang terintegrasi dengan CMEK, termasuk BigQuery. Dengan menggunakan kunci Cloud KMS, Anda dapat mengontrol tingkat perlindungan, lokasi, jadwal rotasi, izin penggunaan dan akses, serta batasan kriptografisnya.
Dengan menggunakan Cloud KMS, Anda juga dapat melihat log audit dan mengontrol siklus proses kunci.
Alih-alih Google yang memiliki dan mengelola kunci enkripsi kunci (KEK) simetris yang melindungi data Anda, Anda yang mengontrol dan mengelola kunci ini di Cloud KMS.
Setelah Anda menyiapkan resource dengan CMEK, pengalaman mengakses resource BigQuery Anda serupa dengan menggunakan enkripsi default Google.
Untuk mengetahui informasi selengkapnya tentang opsi enkripsi Anda, lihat
Kunci Cloud KMS yang dikelola pelanggan.
Enkripsi nilai individual dalam tabel
Jika Anda ingin mengenkripsi nilai individual dalam tabel BigQuery,
gunakan fungsi enkripsi Authenticated Encryption with Associated
Data (AEAD). Jika Anda ingin menyimpan data untuk semua pelanggan Anda sendiri dalam
tabel umum, gunakan fungsi AEAD untuk mengenkripsi setiap data pelanggan menggunakan
kunci yang berbeda. Fungsi enkripsi AEAD didasarkan pada AES. Untuk informasi
selengkapnya, lihat Konsep Enkripsi AEAD di GoogleSQL.
Enkripsi sisi klien
Enkripsi sisi klien terpisah dari enkripsi BigQuery dalam
penyimpanan. Jika memilih untuk menggunakan enkripsi sisi klien, Anda bertanggung jawab atas
kunci sisi klien dan operasi kriptografi. Anda akan mengenkripsi data sebelum
menulisnya ke BigQuery. Dalam hal ini, data Anda dienkripsi
dua kali, pertama dengan kunci Anda, lalu dengan kunci Google. Demikian pula, data yang dibaca
dari BigQuery didekripsi dua kali, pertama dengan kunci Google dan
kemudian dengan kunci Anda.
Data dalam pengiriman
Untuk melindungi data Anda saat data berpindah melalui Internet selama operasi baca dan tulis, Google Cloud menggunakan Transport Layer Security (TLS). Untuk mengetahui informasi
selengkapnya, lihat Enkripsi dalam pengiriman di Google Cloud.
Dalam pusat data Google, data Anda dienkripsi saat ditransfer
antar-komputer.
Langkah berikutnya
Untuk mengetahui informasi selengkapnya tentang enkripsi dalam penyimpanan untuk BigQuery dan produk Google Cloud lainnya, lihat Enkripsi dalam penyimpanan di Google Cloud.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eBigQuery automatically encrypts customer data at rest using Google default encryption, which employs robust key management systems and the Advanced Encryption Standard (AES).\u003c/p\u003e\n"],["\u003cp\u003eCustomers can opt for customer-managed encryption keys (CMEKs) via Cloud KMS to gain more control over key protection, location, rotation, and access permissions.\u003c/p\u003e\n"],["\u003cp\u003eCloud KMS Autokey simplifies CMEK management by automatically generating key rings and keys during resource creation in BigQuery, and handles the creation of the necessary service agents.\u003c/p\u003e\n"],["\u003cp\u003eFor encrypting individual values within a table, BigQuery supports Authenticated Encryption with Associated Data (AEAD) encryption functions, allowing for different keys per customer.\u003c/p\u003e\n"],["\u003cp\u003eClient-side encryption can be implemented, providing a second layer of encryption before data is written to BigQuery, but users are fully responsible for the management of client-side keys and cryptographic operations.\u003c/p\u003e\n"]]],[],null,["# Encryption at rest\n==================\n\nBy default, BigQuery encrypts customer content at\nrest. BigQuery handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption* .\nGoogle default encryption\nuses the same hardened key management systems that we use for our own\nencrypted data. These systems include strict key access controls and auditing.\nEach BigQuery object's data and metadata is encrypted using the\n[Advanced\nEncryption Standard (AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nBigQuery. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\n\nUsing Cloud KMS also lets\nyou [track key usage](/kms/docs/view-key-usage), view audit logs, and\ncontrol key lifecycles.\n\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nBigQuery resources is similar to using Google default encryption.\nFor more information\nabout your encryption options, see [Customer-managed Cloud KMS keys](/bigquery/docs/customer-managed-encryption).\n\nCMEK with Cloud KMS Autokey\n---------------------------\n\nYou can either create CMEKs manually to protect your BigQuery\nresources or use Cloud KMS Autokey. With Autokey, key rings and keys are generated on demand as\npart of resource creation in BigQuery.\nService agents that use the keys for encrypt and decrypt operations are created if they don't\nalready exist and are granted the required Identity and Access Management (IAM) roles. For more\ninformation, see [Autokey overview](/kms/docs/autokey-overview).\n\n\nTo learn how to use\nmanually-created CMEKs to protect your BigQuery resources, see\n[Customer-managed Cloud KMS keys](/bigquery/docs/customer-managed-encryption).\n\nTo learn how to use CMEKs created by\nCloud KMS Autokey to protect your BigQuery resources,\nsee [Using Autokey with BigQuery\nresources](/kms/docs/create-resource-with-autokey#bigquery-autokey).\n\n\u003cbr /\u003e\n\nEncryption of individual values in a table\n------------------------------------------\n\nIf you want to encrypt individual values within a BigQuery table,\nuse the Authenticated Encryption with Associated Data (AEAD) [encryption\nfunctions](/bigquery/docs/reference/standard-sql/aead_encryption_functions). If you want to keep data for all of your own customers in a\ncommon table, use AEAD functions to encrypt each customers' data using a\ndifferent key. The AEAD encryption functions are based on AES. For more\ninformation, see [AEAD Encryption Concepts in GoogleSQL](/bigquery/docs/aead-encryption-concepts).\n\nClient-side encryption\n----------------------\n\nClient-side encryption is separate from BigQuery encryption at\nrest. If you choose to use client-side encryption, you are responsible for the\nclient-side keys and cryptographic operations. You would encrypt data before\nwriting it to BigQuery. In this case, your data is encrypted\ntwice, first with your keys and then with Google's keys. Similarly, data read\nfrom BigQuery is decrypted twice, first with Google's keys and\nthen with your keys.\n| **Important:** BigQuery does not know if your data has already been encrypted client-side, nor does BigQuery have any knowledge of your client-side encryption keys. If you use client-side encryption, you must securely manage your encryption keys and all aspects of client-side encryption and decryption.\n\nData in transit\n---------------\n\nTo protect your data as it travels over the Internet during read and write\noperations, Google Cloud uses Transport Layer Security (TLS). For more\ninformation, see [Encryption in transit in Google Cloud](/security/encryption-in-transit).\n\nWithin Google data centers, your data is encrypted when it is transferred\nbetween machines.\n\nWhat's next\n-----------\n\nFor more information about encryption at rest for BigQuery and\nother Google Cloud products, see\n[Encryption at rest in Google Cloud](/security/encryption/default-encryption)."]]
