Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. This page discusses the standard encryption that Cloud Storage performs. For other encryption options, see Data Encryption Options.
Cloud Storage manages server-side encryption keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Cloud Storage encrypts user data at rest using AES-256, in most cases using Galois/Counter Mode (GCM). There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Data is automatically decrypted when read by an authorized user.
For more information about how Google Cloud and Cloud Storage manage encryption keys, see Default encryption at rest.
To protect your data as it travels over the Internet during read and write operations, use Transport Layer Security, commonly known as TLS or HTTPS.
For more information about how Google-managed encryption keys are rotated, managed, and stored, see Key management.
See Encryption at the storage system layer to learn about the encryption modes that are used in Google Cloud.
Learn more about Choosing an encryption option.