Firestore in Datastore mode automatically encrypts all data before it is written to disk. There is no setup or configuration required and no need to modify the way you access the service. The data is automatically and transparently decrypted when read by an authorized user.
With server-side encryption, Google manages the cryptographic keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Each Datastore mode object's data and metadata is encrypted under the Advanced Encryption Standard (AES), and each encryption key is itself encrypted with a regularly rotated set of master keys.
Server-side encryption can be used in combination with client-side encryption. In client-side encryption, you manage your own encryption keys and encrypt data before writing it to your database. In this case, your data is encrypted twice, once with your keys and once with Google's keys.
To protect your data as it travels over the Internet during read and write operations, we use Transport Layer Security (TLS).
For more information about encryption at rest for Firestore in Datastore mode and other Google Cloud Platform products, see Encryption at Rest in Google Cloud Platform.