Using customer-managed encryption keys

Container Registry stores container images in Cloud Storage. Cloud Storage always encrypts your data on the server side. You can also generate and manage customer-managed encryption keys using Cloud Key Management Service. These encryption keys act as an additional encryption layer on top of the standard Cloud Storage encryption.

To use a Cloud Key Management Service encryption key with Container Registry, you assign the key to the Cloud Storage service account and then set the key as the default key for the Container Registry storage bucket.

  1. Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.

  2. Follow the Cloud Storage instructions for using customer-managed encryption keys with the storage bucket.