ENCRYPTION AT REST

Encryption at rest by default, with various key management options

Choosing an encryption option

Google Cloud Platform encrypts customer data stored at rest by default, with no additional action required from you. We offer a continuum of encryption key management options to meet your needs. This page helps you identify the solutions that best fit your requirements for key generation, storage, and rotation; whether you are choosing for your storage, compute, or big data workloads. Encryption should be used as one piece of a broader data security strategy.

Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). Customers can choose which key management solution they prefer for managing the KEKs that protect the DEKs that protect their data.

Encryption at rest options
Solution	Description	Google Cloud Platform availability	Data users typically choose to protect this way
Encryption by default
Encryption by default	Enjoy world-class encryption without further need for configurations Data is automatically encrypted prior to being written to disk Each encryption key is itself encrypted with a set of master keys Keys and encryption policies are managed the same way, in the same keystore, as for Google’s production services Learn more about default encryption in our whitepaper	Data at rest is encrypted by default in all Google Cloud Platform products. Read about the granularity of encryption by product	Most data
Customer-managed encryption keys (CMEK) using Cloud KMS
Customer-managed encryption keys (CMEK) using Cloud KMS	Keep keys in the cloud, for direct use by cloud services Manage your keys in a cloud-hosted solution You can create, rotate, automatically rotate and destroy symmetric encryption keys	AI Platform Training BigQuery Cloud Bigtable Cloud Build Cloud Dataproc Container Registry Cloud Spanner Cloud SQL Cloud Storage Compute Engine Kubernetes Engine Cloud Logging Pub/Sub You can use keys in Cloud KMS for application-layer encryption in any Google Cloud Platform product	Sensitive data where you have a requirement to manage your own encryption key
Customer-supplied encryption keys (CSEK)
Customer-supplied encryption keys (CSEK)	Keep keys on-premises, and use them to encrypt your cloud services Use your own encryption keys as part of services on Google Cloud Platform Google uses the key in memory and does not write it to storage You provide the keys as part of API service calls Learn more about how CSEK are protected	Cloud Storage Compute Engine	Sensitive data where you have a requirement to generate your own encryption key or manage it on-premises

View Documentation View Console