Firestore in Datastore mode automatically encrypts all data before it is written to disk. There is no setup or configuration required and no need to modify the way you access the service. The data is automatically and transparently decrypted when read by an authorized user.
Key management
With server-side encryption, you can either let Google manage cryptographic keys on your behalf or use customer-managed encryption keys (CMEK) to manage the keys yourself.
By default, Google manages cryptographic keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Each Datastore mode object's data and metadata is encrypted and each encryption key is itself encrypted with a regularly rotated set of master keys.
For information about managing the keys yourself, see CMEK for Datastore (Preview).
Client-side encryption
Server-side encryption can be used in combination with client-side encryption. In client-side encryption, you manage your own encryption keys and encrypt data before writing it to your database. In this case, your data is encrypted twice, once with your keys and once with the server-side keys.
To protect your data as it travels over the Internet during read and write operations, we use Transport Layer Security (TLS). For more information about the supported TLS versions, see Encryption in transit in Google Cloud.
What's next
For more information about encryption at rest for Firestore in Datastore mode and other Google Cloud products, see Encryption at Rest in Google Cloud.