Stay organized with collections
Save and categorize content based on your preferences.
Secret Manager always encrypts your secret data before it is persisted to
disk. This page discusses the default encryption that Secret Manager
performs. To learn more about Google Cloud encryption options, refer to
Encryption at rest.
Secret Manager manages server-side encryption keys on your behalf using
the same hardened key management systems that we use for our own encrypted data,
including strict key access controls and auditing. Secret Manager
encrypts user data at rest using AES-256. There is no setup or
configuration required, no need to modify the way you access the service, and no
visible performance impact. Your secret data is automatically and transparently
decrypted when accessed by an authorized user.
The Secret Manager API always communicates over a secure HTTP(S) connection.
Customer-managed encryption keys (CMEK)
Customer-managed encryption keys (CMEK) refers to the ability to control and
manage the encryption keys used to protect data related to a Google Cloud
service.
See CMEK documentation for details on how to configure and use customer-managed encryption keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Encryption of secrets\n\nSecret Manager always encrypts your secret data before it is persisted to\ndisk. This page discusses the default encryption that Secret Manager\nperforms. To learn more about Google Cloud encryption options, refer to\n[Encryption at rest](/docs/security/encryption/default-encryption).\n\nSecret Manager manages server-side encryption keys on your behalf using\nthe same hardened key management systems that we use for our own encrypted data,\nincluding strict key access controls and auditing. Secret Manager\nencrypts user data at rest using AES-256. There is no setup or\nconfiguration required, no need to modify the way you access the service, and no\nvisible performance impact. Your secret data is automatically and transparently\ndecrypted when accessed by an authorized user.\n\nThe Secret Manager API always communicates over a secure HTTP(S) connection.\n\nCustomer-managed encryption keys (CMEK)\n---------------------------------------\n\nCustomer-managed encryption keys (CMEK) refers to the ability to control and\nmanage the encryption keys used to protect data related to a Google Cloud\nservice.\n\nSee [CMEK documentation](/secret-manager/docs/cmek) for details on how to configure and use customer-managed encryption keys."]]