Encryption of secrets

Secret Manager always encrypts your secret data before it is persisted to disk. This page discusses the default encryption that Secret Manager performs. To learn more about Google Cloud encryption options, refer to Encryption at rest.

Secret Manager manages server-side encryption keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Secret Manager encrypts user data at rest using AES-256. There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Your secret data is automatically and transparently decrypted when accessed by an authorized user.

The Secret Manager API always communicates over a secure HTTP(s) connection.

Customer-managed encryption keys (CMEK)

Customer-managed encryption keys (CMEK) refers to the ability to control and manage the encryption keys used to protect data related to a Google Cloud service.

CMEK is not currently available for Secret Manager. If your organization is interested in CMEK support for Secret Manager, you can express interest by filling out a form.