Encryption information for a given resource. If this resource is protected with customer managed encryption, the in-use Cloud Key Management Service (Cloud KMS) key version is specified along with its status.

JSON representation
  "encryptionType": enum (EncryptionType),
  "encryptionStatus": {
    object (Status)
  "kmsKeyVersion": string

enum (EncryptionType)

Output only. The type of encryption used to protect this resource.


object (Status)

Output only. The status of encrypt/decrypt calls on underlying data for this resource. Regardless of status, the existing data is always encrypted at rest.



Output only. The version of the Cloud KMS key specified in the parent cluster that is in use for the data underlying this table.


Possible encryption types for a resource.

ENCRYPTION_TYPE_UNSPECIFIED Encryption type was not specified, though data at rest remains encrypted.
GOOGLE_DEFAULT_ENCRYPTION The data backing this resource is encrypted at rest with a key that is fully managed by Google. No key version or status will be populated. This is the default state.
CUSTOMER_MANAGED_ENCRYPTION The data backing this resource is encrypted at rest with a key that is managed by the customer. The in-use version of the key and its status are populated for CMEK-protected tables. CMEK-protected backups are pinned to the key version that was in use at the time the backup was taken. This key version is populated but its status is not tracked and is reported as UNKNOWN.