Granularity of encryption for Google Cloud services

Stay organized with collections Save and categorize content based on your preferences.

Each Google Cloud service splits data at a different level of granularity for encryption. This document describes the granularity of encryption for customer content for services. Customer content is data that you generate yourself or provide to us, like data stored in Cloud Storage, disk snapshots used by Compute Engine, and IAM policies. Customer content doesn't include customer metadata, such as resource names. In some services, all metadata is encrypted with a single DEK.

Type Google Cloud service Granularity of customer data encryption (size of data encrypted with a single DEK)
Storage Cloud Bigtable For each data chunk (several for each table)
Datastore For each data chunk (not unique to a single customer)
Firestore For each data chunk (not unique to a single customer)
Cloud Spanner For each data chunk (several for each table)
Cloud SQL
  • Second generation: For each instance, as in Google Compute Engine (each instance could contain multiple databases)
  • First generation: For each instance
Cloud Storage For each data chunk (typically 256KB-8MB)
Compute App Engine For each data chunk (not unique to a single customer)

App Engine includes application code and application settings. Data used in App Engine is stored in Datastore, Cloud SQL, or Cloud Storage depending on customer configurations.
Cloud Functions For each data chunk (not unique to a single customer)

Cloud Functions includes function code, settings, and event data. Event data is stored in Pub/Sub.
Compute Engine
  • Several for each disk
  • For each snapshot group, with individual snapshot ranges derived from the snapshot group master key
  • For each image
Google Kubernetes Engine on Google Cloud Several for each disk, like Compute Engine
Artifact Registry Stored in Cloud Storage, for each data chunk
Data analysis BigQuery One or more for each table
Dataflow Stored in Cloud Storage, for each data chunk
Dataproc Stored in Cloud Storage, for each data chunk
Pub/Sub Rotated every 30 days (not unique to a single customer)

What's next

Read more about default encryption at rest.