Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. This page discusses the standard encryption that Cloud Storage performs. For other encryption options, see Data Encryption Options.
Cloud Storage manages server-side encryption keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Cloud Storage encrypts user data at rest using AES-256. There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Data is automatically decrypted when read by an authorized user.
To protect your data as it travels over the Internet during read and write operations, use Transport Layer Security, commonly known as TLS or HTTPS.
For more information about how Google-managed encryption keys are rotated, managed, and stored, see Key management.
See Encryption at the storage system layer to learn about the encryption modes that are used in Google Cloud.
Learn more about Choosing an encryption option.