Artifact Registry is a universal package management service that supports containers and other formats. Learn about transitioning from Container Registry to gain greater flexibility and control over your artifacts.

Using customer-managed encryption keys

Container Registry stores container images in Cloud Storage. Cloud Storage always encrypts your data on the server side.

If you have compliance or regulatory requirements, you can encrypt your container images using customer-managed encryption keys (CMEK). CMEK keys are managed in Cloud Key Management Service. When you use CMEK, you can temporarily or permanently disable access to an encrypted container image by disabling or destroying the key.

Container Registry is not directly integrated with Cloud KMS. Instead, it is CMEK-compliant when you store your container images in storage buckets configured to use CMEK.

  1. If you have not done so, push an image to Container Registry. The storage bucket does not use a CMEK key yet.

  2. In Cloud Storage, configure the storage bucket to use the CMEK key.

What's next?