Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. Besides this default behavior, there are additional ways to encrypt your data when using Cloud Storage. Below is a summary of the encryption options available to you:
Server-side encryption: encryption that occurs after Cloud Storage receives your data, but before the data is written to disk and stored.
Google-managed encryption keys: Cloud Storage uses its server-side encryption keys to encrypt your data. This is the default for Cloud Storage encryption.
Customer-supplied encryption keys: You can create and manage your own encryption keys for server-side encryption, which replace the Google-managed encryption keys.
Customer-managed encryption keys: You can generate and manage your encryption keys using Cloud Key Management Service. These replace the Google-managed encryption keys.
Client-side encryption: encryption that occurs before data is sent to Cloud Storage. Such data arrives at Cloud Storage already encrypted but also undergoes server-side encryption.