Stay organized with collections
Save and categorize content based on your preferences.
Cloud Storage always encrypts your data on the server side, before it is
written to disk, at no additional charge. Besides this
standard, Cloud Storage behavior, there are additional ways to
encrypt your data when using Cloud Storage. Below is a summary of the
encryption options available to you:
Server-side encryption: Encryption that occurs after Cloud Storage
receives your data, but before the data is written to disk and stored.
Customer-supplied encryption keys (CSEK): You can create and manage
your own encryption keys. These keys act as an additional encryption layer on
top of the standard Cloud Storage encryption.
Client-side encryption: Encryption that occurs before data is sent to
Cloud Storage. Such data arrives at Cloud Storage already
encrypted but also undergoes server-side encryption.
Comparing encryption options
Encryption method
Key management
Use case
Standard (Default)
Google manages the encryption keys.
General purpose: Cloud Storage's standard encryption is ideal for most users who need their data encrypted at rest without wanting to manage encryption keys. It satisfies many compliance requirements automatically.
CMEK
You manage the keys using Cloud Key Management Service.
Compliance and control: Use CMEK when you need to control the lifecycle of your encryption keys to meet specific compliance standards (for example, PCI-DSS or HIPAA). You can grant, revoke, and rotate keys on your own schedule.
CSEK
You provide your own encryption keys with each request to Cloud Storage.
External key management: CSEK is best for scenarios where you have an existing key management system outside of Google Cloud and you want to use those keys to encrypt your Cloud Storage data. The key is not stored by Google.
Client-side encryption
You encrypt the data and manage the keys entirely on your own before sending it to Cloud Storage.
Maximum secrecy: Use client-side encryption when you need to ensure that Google has no possible access to the unencrypted data. This provides the highest level of control but also places the full burden of key management and the encryption and decryption processes on you.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Data encryption options\n\nCloud Storage always encrypts your data on the server side, before it is\nwritten to disk, at no additional charge. Besides this\n[standard, Cloud Storage behavior](/storage/docs/encryption/default-keys), there are additional ways to\nencrypt your data when using Cloud Storage. Below is a summary of the\nencryption options available to you:\n\n*Server-side encryption*: Encryption that occurs after Cloud Storage\nreceives your data, but before the data is written to disk and stored.\n\n- [*Customer-managed encryption keys* (CMEK)](/storage/docs/encryption/customer-managed-keys): You can create and manage\n your encryption keys through [Cloud Key Management Service](/security-key-management). CMEK can be stored as\n software keys, in an [HSM cluster](/kms/docs/hsm), or [externally](/kms/docs/ekm).\n\n- [*Customer-supplied encryption keys* (CSEK)](/storage/docs/encryption/customer-supplied-keys): You can create and manage\n your own encryption keys. These keys act as an additional encryption layer on\n top of the standard Cloud Storage encryption.\n\n[*Client-side encryption*](/storage/docs/encryption/client-side-keys): Encryption that occurs before data is sent to\nCloud Storage. Such data arrives at Cloud Storage already\nencrypted but also undergoes server-side encryption.\n| **Warning:** If you use customer-supplied encryption keys or client-side encryption, you must securely manage your keys and ensure that they are not lost. If you lose your keys, you are no longer able to read your data, and you continue to be charged for storage of your objects until you delete them.\n\nComparing encryption options\n----------------------------"]]
