Stop or restart a Compute Engine instance

This document explains how to stop or restart a Compute Engine instance. To learn more about suspending, stopping, or resetting an instance, see Suspend, stop, or reset Compute Engine instances.

Stopping an instance is useful when you no longer use it, or to modify its properties—for example, to change its machine type, or remove any attached and mounted disks. After you stop the instance, you can do the following:

  • Restart it to resume your workload.

  • Delete it if you no longer need it.

To automate stopping or restarting an instance, see the following instead:

Before you begin

Required roles

To get the permissions that you need to stop or restart a compute instance, ask your administrator to grant you the Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to stop or restart a compute instance. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to stop or restart a compute instance:

  • To stop an instance: compute.instances.stop on the instance
  • To stop an instance from the guest OS: compute.instances.setMetadata on the instance if it uses instance-level public SSH keys.
  • To restart an instance: compute.instances.start on the instance
  • To restart an instance that uses encryption keys: compute.instances.startWithEncryptionKey on the instance

You might also be able to get these permissions with custom roles or other predefined roles.

Stop an instance

When you stop a compute instance, or Compute Engine does so for a scheduled action, the instance retains its attached resources, configuration settings, internal IP addresses, MAC addresses, and metadata. However, the instance loses its in-memory data and application state. If you need to retain these states, then suspend the instance instead.

You can stop an instance using the following methods, depending on whether the instance has Local SSD disks attached and how you want to handle any shutdown scripts:

  • Stop an instance without Local SSD disks

    You can stop one or more instances simultaneously that don't have any Local SSD disks attached. Any shutdown scripts in an instance must finish running within the default shutdown period.

  • Stop an instance with Local SSD disks

    When stopping one or more instances simultaneously that have Local SSD disks attached, you can choose to discard or preserve (Preview) the data on those disks. Any shutdown scripts in the instance must finish running within the default shutdown period.

  • Stop an instance from the guest OS

    This approach lets you stop a single instance only after your shutdown scripts have finished running, or, if you enabled graceful shutdown, stop the instance without gracefully shutting it down, or end an ongoing graceful shutdown. Unless you manually back up data from any attached Local SSD disks to durable storage volume, stopping an instance from within its guest OS discards any data on those disks.

Stop an instance without Local SSD disks

Depending on what you want to do when stopping an instance, use the following options:

  • If you've enabled graceful shutdown in the instance, then you can stop the instance without gracefully shutting it down or end an ongoing graceful shutdown using the Google Cloud console, gcloud CLI, or REST API.

  • To stop multiple instances simultaneously, use the Google Cloud console or, for instances located in the same zone, the gcloud CLI.

To stop one or more instances, select one of the following options:


  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select the running instances to stop.

  3. Click Stop.

  4. In the dialog, do the following:

    1. Optional: To stop the instances without gracefully shut them down, or end an ongoing graceful shutdown, select the Skip graceful shutdown (if applicable) checkbox.

    2. To confirm, click Stop.


To stop one or more instances in the same zone, use the gcloud compute instances stop command:

gcloud compute instances stop INSTANCE_NAMES \

Replace the following:

  • INSTANCE_NAMES: a list of instance names separated by spaces—for example, instance-01 instance-02 instance-03.

  • ZONE: the zone where the instances are located.

Optionally, if you've enabled graceful shutdown in one or more instances, then you can stop the instances without gracefully shutting them down, or manually end an ongoing graceful shutdown. To do so, use the gcloud beta compute instances stop command with the --no-graceful-shutdown flag:

gcloud beta compute instances stop INSTANCE_NAMES \
    --no-graceful-shutdown \


import (

	compute ""
	computepb ""

// stopInstance stops a started Google Compute Engine instance
func stopInstance(w io.Writer, projectID, zone, instanceName string) error {
	// projectID := "your_project_id"
	// zone := "europe-central2-b"
	// instanceName := "your_instance_name"

	ctx := context.Background()
	instancesClient, err := compute.NewInstancesRESTClient(ctx)
	if err != nil {
		return fmt.Errorf("NewInstancesRESTClient: %w", err)
	defer instancesClient.Close()

	req := &computepb.StopInstanceRequest{
		Project:  projectID,
		Zone:     zone,
		Instance: instanceName,

	op, err := instancesClient.Stop(ctx, req)
	if err != nil {
		return fmt.Errorf("unable to stop instance: %w", err)

	if err = op.Wait(ctx); err != nil {
		return fmt.Errorf("unable to wait for the operation: %w", err)

	fmt.Fprintf(w, "Instance stopped\n")

	return nil


import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class StopInstance {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    // TODO(developer): Replace these variables before running the sample.
    /* project: project ID or project number of the Cloud project your instance belongs to.
       zone: name of the zone your instance belongs to.
       instanceName: name of the instance your want to stop.
    String project = "your-project-id";
    String zone = "zone-name";
    String instanceName = "instance-name";

    stopInstance(project, zone, instanceName);

  // Stops a started Google Compute Engine instance.
  public static void stopInstance(String project, String zone, String instanceName)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    /* Initialize client that will be used to send requests. This client only needs to be created
       once, and can be reused for multiple requests. After completing all of your requests, call
       the `instancesClient.close()` method on the client to safely
       clean up any remaining background resources. */
    try (InstancesClient instancesClient = InstancesClient.create()) {

      StopInstanceRequest stopInstanceRequest = StopInstanceRequest.newBuilder()

      OperationFuture<Operation, Operation> operation = instancesClient.stopAsync(
      Operation response = operation.get(3, TimeUnit.MINUTES);

      if (response.getStatus() == Status.DONE) {
        System.out.println("Instance stopped successfully ! ");


 * TODO(developer): Uncomment and replace these variables before running the sample.
// const projectId = 'YOUR_PROJECT_ID';
// const zone = 'europe-central2-b'
// const instanceName = 'YOUR_INSTANCE_NAME'

const compute = require('@google-cloud/compute');

async function stopInstance() {
  const instancesClient = new compute.InstancesClient();

  const [response] = await instancesClient.stop({
    project: projectId,
    instance: instanceName,
  let operation = response.latestResponse;
  const operationsClient = new compute.ZoneOperationsClient();

  // Wait for the operation to complete.
  while (operation.status !== 'DONE') {
    [operation] = await operationsClient.wait({
      project: projectId,

  console.log('Instance stopped.');



use Google\Cloud\Compute\V1\Client\InstancesClient;
use Google\Cloud\Compute\V1\StopInstanceRequest;

 * Stops a running Google Compute Engine instance.
 * @param string $projectId Project ID or project number of the Cloud project your instance belongs to.
 * @param string $zone Name of the zone your instance belongs to.
 * @param string $instanceName Name of the instance you want to stop.
 * @throws \Google\ApiCore\ApiException if the remote call fails.
 * @throws \Google\ApiCore\ValidationException if local error occurs before remote call.
function stop_instance(
    string $projectId,
    string $zone,
    string $instanceName
) {
    // Stop the Compute Engine instance using InstancesClient.
    $instancesClient = new InstancesClient();
    $request = (new StopInstanceRequest())
    $operation = $instancesClient->stop($request);

    // Wait for the operation to complete.
    if ($operation->operationSucceeded()) {
        printf('Instance %s stopped successfully' . PHP_EOL, $instanceName);
    } else {
        $error = $operation->getError();
        printf('Failed to stop instance: %s' . PHP_EOL, $error?->getMessage());


from __future__ import annotations

import sys
from typing import Any

from google.api_core.extended_operation import ExtendedOperation
from import compute_v1

def wait_for_extended_operation(
    operation: ExtendedOperation, verbose_name: str = "operation", timeout: int = 300
) -> Any:
    Waits for the extended (long-running) operation to complete.

    If the operation is successful, it will return its result.
    If the operation ends with an error, an exception will be raised.
    If there were any warnings during the execution of the operation
    they will be printed to sys.stderr.

        operation: a long-running operation you want to wait on.
        verbose_name: (optional) a more verbose name of the operation,
            used only during error and warning reporting.
        timeout: how long (in seconds) to wait for operation to finish.
            If None, wait indefinitely.

        Whatever the operation.result() returns.

        This method will raise the exception received from `operation.exception()`
        or RuntimeError if there is no exception set, but there is an `error_code`
        set for the `operation`.

        In case of an operation taking longer than `timeout` seconds to complete,
        a `concurrent.futures.TimeoutError` will be raised.
    result = operation.result(timeout=timeout)

    if operation.error_code:
            f"Error during {verbose_name}: [Code: {operation.error_code}]: {operation.error_message}",
        print(f"Operation ID: {}", file=sys.stderr, flush=True)
        raise operation.exception() or RuntimeError(operation.error_message)

    if operation.warnings:
        print(f"Warnings during {verbose_name}:\n", file=sys.stderr, flush=True)
        for warning in operation.warnings:
            print(f" - {warning.code}: {warning.message}", file=sys.stderr, flush=True)

    return result

def stop_instance(project_id: str, zone: str, instance_name: str) -> None:
    Stops a running Google Compute Engine instance.
        project_id: project ID or project number of the Cloud project your instance belongs to.
        zone: name of the zone your instance belongs to.
        instance_name: name of the instance your want to stop.
    instance_client = compute_v1.InstancesClient()

    operation = instance_client.stop(
        project=project_id, zone=zone, instance=instance_name
    wait_for_extended_operation(operation, "instance stopping")


To stop an instance, make a POST request to the instances.stop method:


Replace the following:

  • INSTANCE_NAME: the name of the instance.

  • PROJECT_ID: the ID of the project where the instance is located.

  • ZONE: the zone where the instance is located.

Optionally, if you've enabled graceful shutdown in an instance, you can stop the instance without gracefully shutting it down, or manually end an ongoing graceful shutdown. To do so, make a POST request to the instances.stop method. In the request URL, include the noGracefulShutdown=true query parameter:


Stop an instance with Local SSD disks

Depending on what you want to do when stopping a compute instance, use the following options:

  • If you've enabled graceful shutdown in the instance, then you can stop the instance without gracefully shutting it down or end an ongoing graceful shutdown using the Google Cloud console, gcloud CLI, or REST API.

  • To preserve the data of the Local SSD disks attached to an instance (excluding Z3 instances), stop the instance using the gcloud CLI or REST API.

  • To stop multiple instances simultaneously, use the Google Cloud console or, for instances located in the same zone, the gcloud CLI.

To stop one or more instances that have Local SSD disks attached, select one of the following options:


  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select the running instances to stop.

  3. Click Stop.

  4. In the dialog, do the following:

    1. Optional: To stop the instances without gracefully shut them down, or end an ongoing graceful shutdown, select the Skip graceful shutdown (if applicable) checkbox.

    2. To confirm, click Stop.


When stopping one or more instances in the same zone that have Local SSD disks attached, specify whether to discard or preserve Local SSD data as follows:

  • To discard Local SSD data, use the gcloud compute instances stop command with the --discard-local-ssd=true flag:

    gcloud compute instances stop INSTANCE_NAMES \
        --discard-local-ssd=true \
  • To preserve Local SSD data, use the gcloud beta compute instances stop command with the --discard-local-ssd=false flag:

    gcloud beta compute instances stop INSTANCE_NAMES \
        --discard-local-ssd=false \

Replace the following:

  • INSTANCE_NAMES: a list of instance names separated by spaces—for example, instance-01 instance-02 instance-03.

  • ZONE: the zone where the instances are located.

Optionally, if you've enabled graceful shutdown in one or more instances, you can stop the instances without gracefully shutting them down, or end an ongoing graceful shutdown. To do so, use the gcloud beta compute instances stop command with the --no-graceful-shutdown flag:

gcloud beta compute instances stop INSTANCE_NAMES \
    --discard-local-ssd=DISCARD_LOCAL_SSD \
    --no-graceful-shutdown \

Replace DISCARD_LOCAL_SSD with true to discard the data in the Local SSD disks, or false to preserve the data.


When stopping an instance that has Local SSD disks attached, specify whether to discard or preserve Local SSD data as follows:

  • To discard Local SSD data, make a POST request to the instances.stop method. In the request URL, include the discardLocalSsd query parameter set to true:

  • To preserve Local SSD data, make a POST request to the beta.instances.stop method. In the request URL, include the discardLocalSsd query parameter set to false:


Replace the following:

  • PROJECT_ID: the ID of the project where the instance is located.

  • ZONE: the zone where the instance is located.

  • INSTANCE_NAME: the name of the instance.

Optionally, if you've enabled graceful shutdown in an instance, then you can stop the instance without gracefully shutting it down, or manually end an ongoing graceful shutdown. To do so, make a POST request to the instances.stop method. In the request URL, include the noGracefulShutdown=true query parameter:


Replace DISCARD_LOCAL_SSD with true to discard the data in the Local SSD disks, or false to preserve the data.

Stop an instance from the guest OS

If a compute instance has Local SSD disks attached, then shutting down the guest OS automatically discards the Local SSD data. To preserve this data, manually copy the data to a persistent storage option before stopping the instance.

To stop an instance from the guest OS, select one of the following options:


  1. If you haven't already, then connect to the instance.

  2. To stop the instance, select one of the following methods:

    • For a clean shutdown that allows the instance to run shutdown scripts before shutting down the guest OS, run the following command:

      sudo shutdown -h now
    • Otherwise, to force a shutdown, run the following command:

      sudo poweroff


  1. If you haven't already, then connect to the instance using one of the following methods:

  2. To stop the instance, select one of the following methods:

    • To cleanly stop the instance and let the instance to run shutdown scripts before shutting down the guest OS, run the following command:

      shutdown /s
    • To force a shutdown, run the following command:

      shutdown /f

Restart an instance

You can restart a compute instance that has been fully stopped, which is when the instance state is TERMINATED.

If you chose to preserve the data of your Local SSD disks when stopping the instance, then you might need to remount the Local SSD disks after restarting it. For more information about how to mount Local SSD disks, see Format and mounting a Local SSD device.

To restart an instance, use one of the following methods based on whether the instance has encrypted disks attached:

Restart an instance without encrypted disks

You can restart multiple compute instances simultaneously or individual instances. For multiple instances, use the Google Cloud console or, for instances located in the same zone, the gcloud CLI. For individual instances, select any of the following options:


  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select one or more instances.

  3. Click Start / Resume.


To restart one or more instances in the same zone, use the gcloud compute instances start command:

gcloud compute instances start INSTANCE_NAMES \

Replace the following:

  • INSTANCE_NAMES: a list of instance names separated by spaces—for example, instance-01 instance-02 instance-03.

  • ZONE: the zone where the instances are located.


import (

	compute ""
	computepb ""

// startInstance starts a stopped Google Compute Engine instance (with unencrypted disks).
func startInstance(w io.Writer, projectID, zone, instanceName string) error {
	// projectID := "your_project_id"
	// zone := "europe-central2-b"
	// instanceName := "your_instance_name"

	ctx := context.Background()
	instancesClient, err := compute.NewInstancesRESTClient(ctx)
	if err != nil {
		return fmt.Errorf("NewInstancesRESTClient: %w", err)
	defer instancesClient.Close()

	req := &computepb.StartInstanceRequest{
		Project:  projectID,
		Zone:     zone,
		Instance: instanceName,

	op, err := instancesClient.Start(ctx, req)
	if err != nil {
		return fmt.Errorf("unable to start instance: %w", err)

	if err = op.Wait(ctx); err != nil {
		return fmt.Errorf("unable to wait for the operation: %w", err)

	fmt.Fprintf(w, "Instance started\n")

	return nil


import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class StartInstance {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    // TODO(developer): Replace these variables before running the sample.
    /* project: project ID or project number of the Cloud project your instance belongs to.
       zone: name of the zone your instance belongs to.
       instanceName: name of the instance your want to start. */
    String project = "your-project-id";
    String zone = "zone-name";
    String instanceName = "instance-name";

    startInstance(project, zone, instanceName);

  // Starts a stopped Google Compute Engine instance (with unencrypted disks).
  public static void startInstance(String project, String zone, String instanceName)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    /* Initialize client that will be used to send requests. This client only needs to be created
       once, and can be reused for multiple requests. After completing all of your requests, call
       the `instancesClient.close()` method on the client to safely
       clean up any remaining background resources. */
    try (InstancesClient instancesClient = InstancesClient.create()) {

      // Create the request.
      StartInstanceRequest startInstanceRequest = StartInstanceRequest.newBuilder()

      OperationFuture<Operation, Operation> operation = instancesClient.startAsync(

      // Wait for the operation to complete.
      Operation response = operation.get(3, TimeUnit.MINUTES);

      if (response.getStatus() == Status.DONE) {
        System.out.println("Instance started successfully ! ");


 * TODO(developer): Uncomment and replace these variables before running the sample.
// const projectId = 'YOUR_PROJECT_ID';
// const zone = 'europe-central2-b'
// const instanceName = 'YOUR_INSTANCE_NAME'

const compute = require('@google-cloud/compute');

async function startInstance() {
  const instancesClient = new compute.InstancesClient();

  const [response] = await instancesClient.start({
    project: projectId,
    instance: instanceName,
  let operation = response.latestResponse;
  const operationsClient = new compute.ZoneOperationsClient();

  // Wait for the operation to complete.
  while (operation.status !== 'DONE') {
    [operation] = await operationsClient.wait({
      project: projectId,

  console.log('Instance started.');



use Google\Cloud\Compute\V1\Client\InstancesClient;
use Google\Cloud\Compute\V1\StartInstanceRequest;

 * Starts a stopped Google Compute Engine instance (with unencrypted disks).
 * @param string $projectId Project ID or project number of the Cloud project your instance belongs to.
 * @param string $zone Name of the zone your instance belongs to.
 * @param string $instanceName Name of the instance you want to stop.
 * @throws \Google\ApiCore\ApiException if the remote call fails.
 * @throws \Google\ApiCore\ValidationException if local error occurs before remote call.
function start_instance(
    string $projectId,
    string $zone,
    string $instanceName
) {
    // Start the Compute Engine instance using InstancesClient.
    $instancesClient = new InstancesClient();
    $request = (new StartInstanceRequest())
    $operation = $instancesClient->start($request);

    // Wait for the operation to complete.
    if ($operation->operationSucceeded()) {
        printf('Instance %s started successfully' . PHP_EOL, $instanceName);
    } else {
        $error = $operation->getError();
        printf('Failed to start instance: %s' . PHP_EOL, $error?->getMessage());


from __future__ import annotations

import sys
from typing import Any

from google.api_core.extended_operation import ExtendedOperation
from import compute_v1

def wait_for_extended_operation(
    operation: ExtendedOperation, verbose_name: str = "operation", timeout: int = 300
) -> Any:
    Waits for the extended (long-running) operation to complete.

    If the operation is successful, it will return its result.
    If the operation ends with an error, an exception will be raised.
    If there were any warnings during the execution of the operation
    they will be printed to sys.stderr.

        operation: a long-running operation you want to wait on.
        verbose_name: (optional) a more verbose name of the operation,
            used only during error and warning reporting.
        timeout: how long (in seconds) to wait for operation to finish.
            If None, wait indefinitely.

        Whatever the operation.result() returns.

        This method will raise the exception received from `operation.exception()`
        or RuntimeError if there is no exception set, but there is an `error_code`
        set for the `operation`.

        In case of an operation taking longer than `timeout` seconds to complete,
        a `concurrent.futures.TimeoutError` will be raised.
    result = operation.result(timeout=timeout)

    if operation.error_code:
            f"Error during {verbose_name}: [Code: {operation.error_code}]: {operation.error_message}",
        print(f"Operation ID: {}", file=sys.stderr, flush=True)
        raise operation.exception() or RuntimeError(operation.error_message)

    if operation.warnings:
        print(f"Warnings during {verbose_name}:\n", file=sys.stderr, flush=True)
        for warning in operation.warnings:
            print(f" - {warning.code}: {warning.message}", file=sys.stderr, flush=True)

    return result

def start_instance(project_id: str, zone: str, instance_name: str) -> None:
    Starts a stopped Google Compute Engine instance (with unencrypted disks).
        project_id: project ID or project number of the Cloud project your instance belongs to.
        zone: name of the zone your instance belongs to.
        instance_name: name of the instance your want to start.
    instance_client = compute_v1.InstancesClient()

    operation = instance_client.start(
        project=project_id, zone=zone, instance=instance_name

    wait_for_extended_operation(operation, "instance start")


To restart an instance, make a POST request to the instances.start method:


Replace the following:

  • INSTANCE_NAME: the name of the instance to restart.

  • PROJECT_ID: the ID of the project where the instance is located.

  • ZONE: the zone where the instance is located.

Restart an instance with encrypted disks

When you restart a stopped compute instance that has attached disks that were encrypted using customer-supplied encryption keys, you must supply the encryption key information.

You can restart multiple instances simultaneously or individual instances. For multiple instances, use the Google Cloud console or, for instances located in the same zone, the gcloud CLI. For individual instances, select any of the following options:


  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select the instances to restart.

  3. Click Start / Resume.

  4. Specify encryption keys for each of the encrypted disks that are attached to the instances, and then click Start.


To restart one or more instances that use encrypted disks in the same zone, use the gcloud compute instances start command with the --csek-key-file flag. If you're using an RSA-wrapped key, then use the gcloud beta compute instances start command with the --csek-key-file flag instead:

gcloud compute instances start INSTANCE_NAMES \
    --csek-key-file=ENCRYPTION_KEY_FILE \

Replace the following:

  • INSTANCE_NAMES: a list of instance names separated by spaces—for example, instance-01 instance-02 instance-03.

  • ENCRYPTION_KEY_FILE: the relative path to the JSON file that contains the customer-supplied encryption key. You can only restart multiple instances simultaneously if the instances use the same customer-supplied encryption key.

  • ZONE: the zone where the instances are located.


import (

	compute ""
	computepb ""

// startInstanceWithEncKey starts a stopped Google Compute Engine instance (with encrypted disks).
func startInstanceWithEncKey(w io.Writer, projectID, zone, instanceName, key string) error {
	// projectID := "your_project_id"
	// zone := "europe-central2-b"
	// instanceName := "your_instance_name"
	// key := "your_encryption_key"

	ctx := context.Background()
	instancesClient, err := compute.NewInstancesRESTClient(ctx)
	if err != nil {
		return fmt.Errorf("NewInstancesRESTClient: %w", err)
	defer instancesClient.Close()

	instanceReq := &computepb.GetInstanceRequest{
		Project:  projectID,
		Zone:     zone,
		Instance: instanceName,

	instance, err := instancesClient.Get(ctx, instanceReq)
	if err != nil {
		return fmt.Errorf("unable to get instance: %w", err)

	req := &computepb.StartWithEncryptionKeyInstanceRequest{
		Project:  projectID,
		Zone:     zone,
		Instance: instanceName,
		InstancesStartWithEncryptionKeyRequestResource: &computepb.InstancesStartWithEncryptionKeyRequest{
			Disks: []*computepb.CustomerEncryptionKeyProtectedDisk{
					Source: proto.String(instance.GetDisks()[0].GetSource()),
					DiskEncryptionKey: &computepb.CustomerEncryptionKey{
						RawKey: proto.String(key),

	op, err := instancesClient.StartWithEncryptionKey(ctx, req)
	if err != nil {
		return fmt.Errorf("unable to start instance with encryption key: %w", err)

	if err = op.Wait(ctx); err != nil {
		return fmt.Errorf("unable to wait for the operation: %w", err)

	fmt.Fprintf(w, "Instance with encryption key started\n")

	return nil


import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class StartEncryptedInstance {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    // TODO(developer): Replace these variables before running the sample.
    /* project: project ID or project number of the Cloud project your instance belongs to.
       zone: name of the zone your instance belongs to.
       instanceName: name of the instance your want to start.
       key: bytes object representing a raw base64 encoded key to your machines boot disk.
            For more information about disk encryption see:
    String project = "your-project-id";
    String zone = "zone-name";
    String instanceName = "instance-name";
    String key = "raw-key";

    startEncryptedInstance(project, zone, instanceName, key);

  // Starts a stopped Google Compute Engine instance (with encrypted disks).
  public static void startEncryptedInstance(String project, String zone, String instanceName,
      String key)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    /* Initialize client that will be used to send requests. This client only needs to be created
       once, and can be reused for multiple requests. After completing all of your requests, call
       the `instancesClient.close()` method on the client to safely
       clean up any remaining background resources. */
    try (InstancesClient instancesClient = InstancesClient.create()) {

      GetInstanceRequest getInstanceRequest = GetInstanceRequest.newBuilder()

      Instance instance = instancesClient.get(getInstanceRequest);

      // Prepare the information about disk encryption.
      CustomerEncryptionKeyProtectedDisk protectedDisk = CustomerEncryptionKeyProtectedDisk
          /* Use raw_key to send over the key to unlock the disk
             To use a key stored in KMS, you need to provide:
             `kms_key_name` and `kms_key_service_account`

      InstancesStartWithEncryptionKeyRequest startWithEncryptionKeyRequest =

      StartWithEncryptionKeyInstanceRequest encryptionKeyInstanceRequest =

      OperationFuture<Operation, Operation> operation = instancesClient.startWithEncryptionKeyAsync(
      Operation response = operation.get(3, TimeUnit.MINUTES);

      if (response.getStatus() == Status.DONE) {
        System.out.println("Encrypted instance started successfully ! ");



 * TODO(developer): Uncomment and replace these variables before running the sample.
// const projectId = 'YOUR_PROJECT_ID';
// const zone = 'europe-central2-b'
// const instanceName = 'YOUR_INSTANCE_NAME'
// const key = 'YOUR_KEY_STRING'

const compute = require('@google-cloud/compute');

async function startInstanceWithEncryptionKey() {
  const instancesClient = new compute.InstancesClient();

  const [instance] = await instancesClient.get({
    project: projectId,
    instance: instanceName,

  const [response] = await instancesClient.startWithEncryptionKey({
    project: projectId,
    instance: instanceName,
    instancesStartWithEncryptionKeyRequestResource: {
      disks: [
          source: instance.disks[0].source,
          diskEncryptionKey: {
            rawKey: key,
  let operation = response.latestResponse;
  const operationsClient = new compute.ZoneOperationsClient();

  // Wait for the operation to complete.
  while (operation.status !== 'DONE') {
    [operation] = await operationsClient.wait({
      project: projectId,

  console.log('Instance with encryption key started.');



use Google\Cloud\Compute\V1\Client\InstancesClient;
use Google\Cloud\Compute\V1\CustomerEncryptionKey;
use Google\Cloud\Compute\V1\CustomerEncryptionKeyProtectedDisk;
use Google\Cloud\Compute\V1\GetInstanceRequest;
use Google\Cloud\Compute\V1\InstancesStartWithEncryptionKeyRequest;
use Google\Cloud\Compute\V1\StartWithEncryptionKeyInstanceRequest;

 * Starts a stopped Google Compute Engine instance (with encrypted disks).
 * @param string $projectId Project ID or project number of the Cloud project your instance belongs to.
 * @param string $zone Name of the zone your instance belongs to.
 * @param string $instanceName Name of the instance you want to stop.
 * @param string $key Bytes object representing a raw base64 encoded key to your instance's boot disk.
 *                    For more information about disk encryption see:
 * @throws \Google\ApiCore\ApiException if the remote call fails.
 * @throws \Google\ApiCore\ValidationException if local error occurs before remote call.
function start_instance_with_encryption_key(
    string $projectId,
    string $zone,
    string $instanceName,
    string $key
) {
    // Initiate the InstancesClient.
    $instancesClient = new InstancesClient();

    // Get data about the instance.
    $request = (new GetInstanceRequest())
    $instanceData = $instancesClient->get($request);

    // Use `setRawKey` to send over the key to unlock the disk
    // To use a key stored in KMS, you need to use `setKmsKeyName` and `setKmsKeyServiceAccount`
    $customerEncryptionKey = (new CustomerEncryptionKey())

    /** @var \Google\Cloud\Compute\V1\AttachedDisk */
    $disk = $instanceData->getDisks()[0];

    // Prepare the information about disk encryption.
    $diskData = (new CustomerEncryptionKeyProtectedDisk())

    // Set request with one disk.
    $instancesStartWithEncryptionKeyRequest = (new InstancesStartWithEncryptionKeyRequest())

    // Start the instance with encrypted disk.
    $request2 = (new StartWithEncryptionKeyInstanceRequest())
    $operation = $instancesClient->startWithEncryptionKey($request2);

    // Wait for the operation to complete.
    if ($operation->operationSucceeded()) {
        printf('Instance %s started successfully' . PHP_EOL, $instanceName);
    } else {
        $error = $operation->getError();
        printf('Starting instance failed: %s' . PHP_EOL, $error?->getMessage());


from __future__ import annotations

import sys
from typing import Any

from google.api_core.extended_operation import ExtendedOperation
from import compute_v1

def wait_for_extended_operation(
    operation: ExtendedOperation, verbose_name: str = "operation", timeout: int = 300
) -> Any:
    Waits for the extended (long-running) operation to complete.

    If the operation is successful, it will return its result.
    If the operation ends with an error, an exception will be raised.
    If there were any warnings during the execution of the operation
    they will be printed to sys.stderr.

        operation: a long-running operation you want to wait on.
        verbose_name: (optional) a more verbose name of the operation,
            used only during error and warning reporting.
        timeout: how long (in seconds) to wait for operation to finish.
            If None, wait indefinitely.

        Whatever the operation.result() returns.

        This method will raise the exception received from `operation.exception()`
        or RuntimeError if there is no exception set, but there is an `error_code`
        set for the `operation`.

        In case of an operation taking longer than `timeout` seconds to complete,
        a `concurrent.futures.TimeoutError` will be raised.
    result = operation.result(timeout=timeout)

    if operation.error_code:
            f"Error during {verbose_name}: [Code: {operation.error_code}]: {operation.error_message}",
        print(f"Operation ID: {}", file=sys.stderr, flush=True)
        raise operation.exception() or RuntimeError(operation.error_message)

    if operation.warnings:
        print(f"Warnings during {verbose_name}:\n", file=sys.stderr, flush=True)
        for warning in operation.warnings:
            print(f" - {warning.code}: {warning.message}", file=sys.stderr, flush=True)

    return result

def start_instance_with_encryption_key(
    project_id: str, zone: str, instance_name: str, key: bytes
) -> None:
    Starts a stopped Google Compute Engine instance (with encrypted disks).
        project_id: project ID or project number of the Cloud project your instance belongs to.
        zone: name of the zone your instance belongs to.
        instance_name: name of the instance your want to start.
        key: bytes object representing a raw base64 encoded key to your machines boot disk.
            For more information about disk encryption see:
    instance_client = compute_v1.InstancesClient()

    instance_data = instance_client.get(
        project=project_id, zone=zone, instance=instance_name

    # Prepare the information about disk encryption
    disk_data = compute_v1.CustomerEncryptionKeyProtectedDisk()
    disk_data.source = instance_data.disks[0].source
    disk_data.disk_encryption_key = compute_v1.CustomerEncryptionKey()
    # Use raw_key to send over the key to unlock the disk
    # To use a key stored in KMS, you need to provide `kms_key_name` and `kms_key_service_account`
    disk_data.disk_encryption_key.raw_key = key
    enc_data = compute_v1.InstancesStartWithEncryptionKeyRequest()
    enc_data.disks = [disk_data]

    operation = instance_client.start_with_encryption_key(

    wait_for_extended_operation(operation, "instance start (with encrypted disk)")


To restart an instance that uses encrypted disks, make a POST request to the instances.startWithEncryptionKey method:


  "disks": [
      "source": "DISK_URL",
      "diskEncryptionKey": {

Replace the following:

  • PROJECT_ID: the ID of the project where the instance is located.

  • ZONE: the zone where the instance is located.

  • INSTANCE_NAME: the name of the instance.

  • DISK_URL: the resource URL corresponding to the full resource name of the attached disk that is encrypted with a customer-supplied encryption key.

  • ENCRYPTION_TYPE: the type of disk encryption that you're using, which can be one of the following: rawKey, kmsKeyName, or rsaEncryptedKey. If you use the rsaEncryptedKey type, then make a POST request to the beta.instances.startWithEncryptionKey method.

  • ENCRYPTION_KEY: the encryption key used to encrypt the persistent disks attached to the instance. rawKey or rsaEncryptedKey keys must be base64-encoded. Additionally, to prepare a rsaEncryptedKey key, see RSA key wrapping.

What's next