Encryption at rest by default, with various key management options

View Documentation View Console

Choosing an encryption option

Google Cloud Platform encrypts customer data stored at rest by default, with no additional action required from you. We offer a continuum of encryption key management options to meet your needs. This page helps you identify the solutions that best fit your requirements for key generation, storage, and rotation; whether you are choosing for your storage, compute, or big data workloads. Encryption should be used as one piece of a broader data security strategy.

Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). Customers can choose which key management solution they prefer for managing the KEKs that protect the DEKs that protect their data.

Encryption Lead
KMS icon
Encryption at rest options
Solution Description Google Cloud Platform availability Data users typically choose to protect this way
Encryption by default Enjoy world-class encryption without further need for configurations
  • Data is automatically encrypted prior to being written to disk
  • Each encryption key is itself encrypted with a set of master keys
  • Keys and encryption policies are managed the same way, in the same keystore, as for Google’s production services
Learn more about default encryption in our whitepaper
Data at rest is encrypted by default in all Google Cloud Platform products. Read about the granularity of encryption by product Most data
Customer-managed encryption keys (CMEK) using Cloud KMS Keep keys in the cloud, for direct use by cloud services
  • Manage your keys in a cloud-hosted solution
  • You can create, rotate, automatically rotate and destroy symmetric encryption keys
You can use keys in Cloud KMS for application-layer encryption in any Google Cloud Platform product Sensitive data where you have a requirement to manage your own encryption key
Customer-supplied encryption keys (CSEK) Keep keys on-premises, and use them to encrypt your cloud services
  • Use your own encryption keys as part of services on Google Cloud Platform
  • Google uses the key in memory and does not write it to storage
  • You provide the keys as part of API service calls
Learn more about how CSEK are protected
Sensitive data where you have a requirement to generate your own encryption key or manage it on-premises