As an additional layer on top of Google-managed encryption keys, you can choose to use keys generated by Cloud Key Management Service. Such keys are known as customer-managed encryption keys. If you use a customer-managed encryption key, your encryption keys are stored within Cloud KMS. The project that holds your encryption keys can then be independent from the project that contains your buckets, thus allowing for better separation of duties.
When you apply a customer-managed encryption key to an object, the encryption key is used to encrypt the object, its CRC32C checksum, and its MD5 hash. The remaining metadata for the object, including the object's name, is encrypted using standard server-side keys. This allows you to always read and update metadata, as well as list and delete objects, provided you have permission to do so.
Encryption and decryption with customer-managed encryption keys is accomplished using service accounts. Once you give your Cloud Storage service account access to an encryption key, that service account encrypts:
- Objects added to a bucket that uses the key as the default key.
- Specific objects that you indicate should be encrypted with that key.
When adding or rewriting an object in Cloud Storage, if you have both a default key set on your bucket and a specific key included in your request, Cloud Storage uses the specific key to encrypt the object.
When a requester wants to read an object encrypted with a customer-managed encryption key, they simply access the object as they normally would. During such a request, the service account automatically decrypts the requested object as long as:
- The service account still has permission to decrypt using the key.
- You have not disabled or destroyed the key.
If one of these conditions is not met, the service account does not decrypt the data, and the request fails.
A Cloud KMS key resource has the following format:
[VALUES_IN_BRACKETS] are values that depend on your key resource.
The following restrictions apply when using customer-managed encryption keys:
Customer-managed encryption keys are available in the following countries:Argentina, Austria, Australia, Belgium, Bulgaria, Canada, Chile, Colombia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, India Indonesia, Ireland, Israel, Italy, Japan, Lithuania, Luxembourg, Latvia, Malaysia, Malta, Mexico, Netherlands, New Zealand, Norway, Peru, Poland, Portugal, Romania, Singapore, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, United Kingdom (UK), United States (US), Vietnam
You cannot use the JSON API Copy Object method when the source object is encrypted with a customer-managed encryption key or when the destination object would become encrypted by a customer-managed encryption key. Use the Rewrite Object method instead.
You cannot encrypt an object with a customer-managed encryption key by updating the object's metadata. Include the key as part of a rewrite of the object instead.
You must create the Cloud KMS key in the same location as the data you intend to encrypt. For example, if your bucket is located in
us-east1, any Cloud KMS key encrypting objects in that bucket must also be created in
us-east1. For available Cloud KMS locations, see Cloud KMS locations.
You cannot specify a customer-managed encryption key as part of a Storage Transfer Service transfer, and any such keys on source objects are not applied to the transferred objects. Set a default customer-managed key on your bucket prior to performing the transfer.
Relation to customer-supplied encryption keys
In addition to customer-managed encryption, Cloud Storage offers Customer-Supplied Encryption Keys as a way of controlling your data encryption. You can encrypt different objects in a single bucket with different encryption methods, but note that:
A single object can only be encrypted by one of these methods at a time.
If you have a default customer-managed key set for your bucket and specify a customer-supplied key in a request, Cloud Storage uses the customer-supplied key to encrypt the object.
You can set a default customer-managed key on your bucket, but you cannot set a default customer-supplied key on your bucket.