Stay organized with collections
Save and categorize content based on your preferences.
Database Migration Service protects your data during and after migration. The following
security and encryption features ensure the safety of your migration:
Customer-managed encryption keys (CMEK) encrypt data at rest.
Encryption methods, such as SSL/TLS certificates and
Private Service Connect, secure network connections between the
source and destination databases.
Identity and Access Management (IAM) practices ensure access control.
Homogeneous and heterogeneous migrations have different security options. For
homogeneous migrations, destination databases support CMEK natively while
heterogeneous migrations require Database Migration Service to additionally encrypt
data at rest during conversion to a temporary database.
Learn more in the sections that follow:
Secure homogeneous migrations
Select your homogeneous migration scenario to view security and encryption
options that your migration supports:
MySQL to Cloud SQL for MySQL
CMEK
You can migrate to Cloud SQL destinations where you configure CMEK to secure your data.
For more information, see
Use customer-managed encryption keys (CMEK)
in the Cloud SQL documentation.
Secure network connectivity
Database Migration Service supports SSL/TLS connectivity for your migration.
You can upload your own encryption certificates when you create the source
connection profile. For more information, see
Create a source connection profile.
IAM
With IAM, you can control access to your migration resources.
For more information, see
IAM authentication.
PostgreSQL to Cloud SQL for PostgreSQL
CMEK
You can migrate to Cloud SQL destinations where you configure CMEK to secure your data.
For more information, see
Use customer-managed encryption keys (CMEK) in the Cloud SQL documentation.
Secure network connectivity
Database Migration Service supports SSL/TLS connectivity for your migration.
You can upload your own encryption certificates when you create the source connection profile.
For more information, see
Create a source connection profile.
IAM
With IAM, you can control access to your migration resources. For more information see
IAM authentication.
PostgreSQL to AlloyDB for PostgreSQL
CMEK
You can migrate to AlloyDB destinations where you configure CMEK to secure your data. For more information, see
About CMEK in the AlloyDB documentation.
Secure network connectivity
Database Migration Service supports SSL/TLS connectivity for your migration.
You can upload your own encryption certificates when you create the source connection profile.
For more information, see
Create a source connection profile.
IAM
With IAM, you can control access to your migration resources. For more information, see
Manage IAM authentication.
SQL Server to Cloud SQL for SQL Server
CMEK
You can migrate to Cloud SQL destinations where you configure CMEK to secure your data.
For more information, see
Use customer-managed encryption keys (CMEK)
in the Cloud SQL documentation.
Database Migration Service supports SSL/TLS connectivity for your migration as well
as other methods that accommodate differences in network access, such as IP
allowlisting or using a forward SSH tunnel. For more information, see
Create connection profiles.
IAM
With IAM, you can control access to your migration resources. For more information, see
Access control with IAM.
Database Migration Service supports SSL/TLS connectivity for your migration as well
as other methods that accommodate differences in network access, such as IP
allowlisting or using a forward SSH tunnel. For more information, see
Create connection profiles.
IAM
With IAM, you can control access to your migration resources. For more information, see
Access control with IAM.
Database Migration Service supports SSL/TLS connectivity for your migration as well
as other methods that accommodate differences in network access, such as IP
allowlisting or using a forward SSH tunnel. For more information, see
Use SSL/TLS certificates to encrypt network connections.
IAM
With IAM, you can control access to your migration resources. For more information, see
Access control with IAM.
Database Migration Service supports SSL/TLS connectivity for your migration as well
as other methods that accommodate differences in network access, such as IP
allowlisting or using a forward SSH tunnel. For more information, see
Use SSL/TLS certificates to encrypt network connections.
IAM
With IAM, you can control access to your migration resources. For more information, see
Access control with IAM.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Security and encryption\n\nDatabase Migration Service protects your data during and after migration. The following\nsecurity and encryption features ensure the safety of your migration:\n\n- Customer-managed encryption keys (CMEK) encrypt data at rest.\n- Encryption methods, such as SSL/TLS certificates and Private Service Connect, secure network connections between the source and destination databases.\n- Identity and Access Management (IAM) practices ensure access control.\n\nHomogeneous and heterogeneous migrations have different security options. For\nhomogeneous migrations, destination databases support CMEK natively while\nheterogeneous migrations require Database Migration Service to additionally encrypt\ndata at rest during conversion to a temporary database.\n\nLearn more in the sections that follow:\n\nSecure homogeneous migrations\n-----------------------------\n\nSelect your homogeneous migration scenario to view security and encryption\noptions that your migration supports: \n\n### MySQL to Cloud SQL for MySQL\n\n**CMEK**\n\nYou can migrate to Cloud SQL destinations where you configure CMEK to secure your data.\nFor more information, see\n[Use customer-managed encryption keys (CMEK)](/sql/docs/mysql/configure-cmek)\nin the Cloud SQL documentation.\n\n**Secure network connectivity**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration.\nYou can upload your own encryption certificates when you create the source\nconnection profile. For more information, see\n[Create a source connection profile](/database-migration/docs/mysql/create-source-connection-profile).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources.\nFor more information, see\n[IAM authentication](/sql/docs/mysql/iam-authentication). \n\n### PostgreSQL to Cloud SQL for PostgreSQL\n\n**CMEK**\n\nYou can migrate to Cloud SQL destinations where you configure CMEK to secure your data.\nFor more information, see\n[Use customer-managed encryption keys (CMEK)](/sql/docs/postgres/configure-cmek) in the Cloud SQL documentation.\n\n**Secure network connectivity**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration.\nYou can upload your own encryption certificates when you create the source connection profile.\nFor more information, see\n[Create a source connection profile](/database-migration/docs/postgres/create-source-connection-profile).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information see\n[IAM authentication](/sql/docs/postgres/iam-authentication). \n\n### PostgreSQL to AlloyDB for PostgreSQL\n\n**CMEK**\n\nYou can migrate to AlloyDB destinations where you configure CMEK to secure your data. For more information, see\n[About CMEK](/alloydb/docs/cmek) in the AlloyDB documentation.\n\n**Secure network connectivity**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration.\nYou can upload your own encryption certificates when you create the source connection profile.\nFor more information, see\n[Create a source connection profile](/database-migration/docs/postgresql-to-alloydb/create-source-connection-profile).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[Manage IAM authentication](/alloydb/docs/manage-iam-authn). \n\n### SQL Server to Cloud SQL for SQL Server\n\n**CMEK**\n\nYou can migrate to Cloud SQL destinations where you configure CMEK to secure your data.\nFor more information, see\n[Use customer-managed encryption keys (CMEK)](/sql/docs/sqlserver/configure-cmek)\nin the Cloud SQL documentation.\n\n**Migrate encrypted databases**\n\nDatabase Migration Service supports migrating encrypted columns. For more information, see\n[Use encrypted SQL Server backup files](/database-migration/docs/sqlserver/backup-file-encryption).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[IAM authentication](/sql/docs/sqlserver/iam-authentication)\n\nSecure heterogeneous migrations\n-------------------------------\n\nSelect your heterogeneous migration scenario to view security and encryption options that your migration supports: \n\n### Oracle to Cloud SQL for PostgreSQL\n\n**CMEK**\n\nDatabase Migration Service supports CMEK in the migration job to secure the data at rest.\nFor more information, see\n[Use customer-managed encryption keys (CMEK) for continuous migrations](/database-migration/docs/oracle-to-postgresql/cmek-for-migration-jobs).\n\n**Connectivity encryption**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration as well\nas other methods that accommodate differences in network access, such as IP\nallowlisting or using a forward SSH tunnel. For more information, see\n[Create connection profiles](/database-migration/docs/oracle-to-postgresql/create-connection-profiles).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[Access control with IAM](/database-migration/docs/oracle-to-postgresql/access-control). \n\n### Oracle to AlloyDB for PostgreSQL\n\n**CMEK**\n\nDatabase Migration Service supports CMEK in the migration job to secure the data at rest.\nFor more information, see\n[Use customer-managed encryption keys (CMEK) for continuous migrations](/database-migration/docs/oracle-to-alloydb/cmek-for-migration-jobs).\n\n**Connectivity encryption**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration as well\nas other methods that accommodate differences in network access, such as IP\nallowlisting or using a forward SSH tunnel. For more information, see\n[Create connection profiles](/database-migration/docs/oracle-to-alloydb/create-connection-profiles).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[Access control with IAM](/database-migration/docs/oracle-to-alloydb/access-control). \n\n### SQL Server to Cloud SQL for PostgreSQL\n\n**CMEK**\n\nDatabase Migration Service supports CMEK in the migration job to secure the data at rest.\nFor more information, see\n[Use customer-managed encryption keys (CMEK) for continuous migrations](/database-migration/docs/sqlserver-to-csql-pgsql/cmek-for-migration-jobs).\n\n**Connectivity encryption**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration as well\nas other methods that accommodate differences in network access, such as IP\nallowlisting or using a forward SSH tunnel. For more information, see\n[Use SSL/TLS certificates to encrypt network connections](/database-migration/docs/sqlserver-to-csql-pgsql/encrypt-connections-with-certificates).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[Access control with IAM](/database-migration/docs/sqlserver-to-csql-pgsql/access-control). \n\n### SQL Server to AlloyDB for PostgreSQL\n\n**CMEK**\n\nDatabase Migration Service supports CMEK in the migration job to secure the data at rest.\nFor more information, see\n[Use customer-managed encryption keys (CMEK) for continuous migrations](/database-migration/docs/sqlserver-to-alloydb/cmek-for-migration-jobs).\n\n**Connectivity encryption**\n\nDatabase Migration Service supports SSL/TLS connectivity for your migration as well\nas other methods that accommodate differences in network access, such as IP\nallowlisting or using a forward SSH tunnel. For more information, see\n[Use SSL/TLS certificates to encrypt network connections](/database-migration/docs/sqlserver-to-alloydb/encrypt-connections-with-certificates).\n\n**IAM**\n\nWith IAM, you can control access to your migration resources. For more information, see\n[Access control with IAM](/database-migration/docs/sqlserver-to-alloydb/access-control)."]]