Artifact Registry is the recommended service for managing container images. Container Registry is still supported but will only receive critical security fixes. Learn about transitioning to Artifact Registry.

Using customer-managed encryption keys

Container Registry stores container images in Cloud Storage. Cloud Storage always encrypts your data on the server side.

If you have compliance or regulatory requirements, you can encrypt your container images using customer-managed encryption keys (CMEK). CMEK keys are managed in Cloud Key Management Service. When you use CMEK, you can temporarily or permanently disable access to an encrypted container image by disabling or destroying the key.

Container Registry is not directly integrated with Cloud KMS. Instead, it is CMEK-compliant when you store your container images in storage buckets configured to use CMEK.

  1. If you have not done so, push an image to Container Registry. The storage bucket does not use a CMEK key yet.

  2. In Cloud Storage, configure the storage bucket to use the CMEK key.

What's next?