Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. Besides this standard, Google-managed behavior, there are additional ways to encrypt your data when using Cloud Storage. Below is a summary of the encryption options available to you:
Server-side encryption: encryption that occurs after Cloud Storage receives your data, but before the data is written to disk and stored.
Customer-supplied encryption keys: You can create and manage your own encryption keys. These keys act as an additional encryption layer on top of the standard Cloud Storage encryption.
Customer-managed encryption keys: You can manage your encryption keys, which are generated for you and held in Cloud Key Management Service.
Client-side encryption: encryption that occurs before data is sent to Cloud Storage. Such data arrives at Cloud Storage already encrypted but also undergoes server-side encryption.