As an alternative to Google-managed server-side encryption keys, you can choose to use keys generated by Cloud Key Management Service. Such keys are known as customer-managed encryption keys. If you use a customer-managed encryption key, your encryption keys are stored within Cloud KMS. The project that holds your encryption keys can then be independent from the project that contains your buckets, thus allowing for better separation of duties.
When you apply a customer-managed encryption key to an object, the encryption key is used to encrypt the object, its CRC32C checksum, and its MD5 hash. The remaining metadata for the object, including the object's name, is encrypted using standard server-side keys. This allows you to always read and update metadata, as well as list and delete objects, provided you have sufficient permissions to do so.
Service accounts are responsible for using customer-managed encryption keys to encrypt and decrypt objects. Once you give a service account access to an encryption key, that service account encrypts:
- Objects added to buckets that have that key set as the default key.
- Objects that you indicate should be encrypted with that key.
If you have both a default key set on your bucket and a specific key included in your upload, Cloud Storage uses the specific key to encrypt the object.
When a requester wants to read an object encrypted with a customer-managed encryption key, they simply access the object as they normally would. During such a request, the service account automatically decrypts the requested object as long as:
- The service account still has permission to decrypt using the key.
- You have not disabled or destroyed the key.
If one of these conditions is not met, the service account does not decrypt the data, and the request fails.
Relation to customer-supplied encryption keys
In addition to customer-managed encryption, Cloud Storage offers Customer-Supplied Encryption Keys as a way of controlling your data encryption. You can encrypt different objects in a single bucket with different encryption methods, but note that:
A single object can only be encrypted by one of these methods at a time.
If you have a default customer-managed key set on your bucket and specify a customer-supplied key in a request, Cloud Storage uses the customer-supplied key to encrypt the object.
The following restrictions apply when using customer-managed encryption keys:
You cannot use the JSON API Copy Object method when the source object is encrypted with a customer-managed encryption key or when the destination object would become encrypted by a customer-managed encryption key. Use the Rewrite Object method instead.
You cannot use the XML API Copy Object method when the source object is encrypted with a customer-managed encryption key or when the destination object would become encrypted by a customer-managed encryption key. Re-upload the object to the bucket or use the JSON API Rewrite Object method instead.
You cannot encrypt an object with a customer-managed encryption key by updating the object's metadata. Include the key as part of a rewrite of the object instead.
You must create the Cloud KMS key in the same location as the data you intend to encrypt. For available Cloud KMS locations, see Cloud KMS locations.