Stay organized with collections
Save and categorize content based on your preferences.
Cloud Build provides customer-managed encryption keys (CMEK)
compliance by encrypting the build-time
persistent disk with an ephemeral key that is generated for each build. No
configuration is required. The key is uniquely generated for each build.
Once a build starts, the key is accessible only to the build processes
requiring it for up to 24 hours. Then, the key is wiped from memory and
destroyed.
The key isn't retained anywhere, isn't accessible to Google engineers or support
staff, and can't be restored. The data that was protected using such a key is
permanently inaccessible once the build completes.
How does the ephemeral key encryption work?
Cloud Build supports CMEK through the use of ephemeral keys, allowing
it to be fully consistent and compatible with a CMEK-enabled setup.
Cloud Build does the following to ensure build-time persistent disks
are encrypted with an ephemeral key:
Cloud Build mints a random 256-bit encryption key
for encrypting each build-time persistent disk.
Cloud Build leverages the Customer-Supplied Encryption Key (CSEK)
feature of persistent disk to use this new encryption key as a persistent
disk encryption key.
Cloud Build destroys the ephemeral key as soon as the disk is
created. The key is never logged or written to any persistent storage and is
now irretrievable.
When the build is completed, the persistent disk is deleted, at which point
no traces of the key nor the encrypted persistent disk data remain anywhere
in Google infrastructure.
When does ephemeral key encryption not apply?
When you create or trigger a build using source mirroring (and not using
GitHub triggers), your source code is stored in Cloud Storage
or Cloud Source Repositories. You have full control over the code storage
location, including control over its encryption.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["Cloud Build encrypts each build-time persistent disk with a unique, randomly generated 256-bit ephemeral key, ensuring CMEK compliance without requiring user configuration."],["The ephemeral key is accessible only to the build processes for up to 24 hours, after which it is wiped from memory and destroyed, making it inaccessible and irretrievable."],["Cloud Build leverages the Customer-Supplied Encryption Key (CSEK) feature to use the ephemeral key for persistent disk encryption, and then destroys the key immediately after the disk is created."],["Upon completion of the build, the persistent disk is deleted, leaving no traces of the key or encrypted data within Google infrastructure."],["Source code storage in Cloud Storage or Cloud Source Repositories, through source mirroring, does not utilize ephemeral key encryption, instead giving the user full control over the encryption settings."]]],[]]
