Choosing an encryption option
Google Cloud Platform encrypts customer data stored at rest by default, with no additional
action required from you. We offer a continuum of encryption key management options to meet
your needs. This page helps you identify the solutions that best fit your requirements for key
generation, storage, and rotation; whether you are choosing for your storage, compute, or big
data workloads. Encryption should be used as one piece of a broader data security strategy.
Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is
encrypted at the storage level with an individual encryption key. The key used to encrypt the data
in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google,
and the need for low latency and high availability, these keys are stored near the data that they
encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). Customers
can choose which key management solution they prefer for managing the KEKs that protect
the DEKs that protect their data.