Using Customer-Supplied Encryption Keys

This page describes how to use your own encryption key, referred to as a customer-supplied encryption key, with Google Cloud Storage. For more information about encryption in Cloud Storage, see the Encryption page.

Generating your own encryption key

There are many ways to generate a Base64-encoded AES-256 encryption key. Here are several examples:

C#

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

void GenerateEncryptionKey()
{
    Console.Write(EncryptionKey.Generate().Base64Key);
}

Node.js

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

const crypto = require('crypto');

/**
 * Generates a 256 bit (32 byte) AES encryption key and prints the base64
 * representation.
 *
 * This is included for demonstration purposes. You should generate your own
 * key. Please remember that encryption keys should be handled with a
 * comprehensive security policy.
 *
 * @returns {string} The encryption key.
 */
function generateEncryptionKey() {
  const buffer = crypto.randomBytes(32);
  const encodedKey = buffer.toString('base64');

  console.log(`Base 64 encoded encryption key: ${encodedKey}`);

  return encodedKey;
}

PHP

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

/**
 * Generate a base64 encoded encryption key for Google Cloud Storage.
 *
 * @return void
 */
function generate_encryption_key()
{
    $key = random_bytes(32);
    $encodedKey = base64_encode($key);
    printf('Your encryption key: %s' . PHP_EOL, $encodedKey);
}

Python

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

def generate_encryption_key():
    """Generates a 256 bit (32 byte) AES encryption key and prints the
    base64 representation.

    This is included for demonstration purposes. You should generate your own
    key. Please remember that encryption keys should be handled with a
    comprehensive security policy.
    """
    key = os.urandom(32)
    encoded_key = base64.b64encode(key).decode('utf-8')
    print('Base 64 encoded encryption key: {}'.format(encoded_key))

Ruby

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

require "base64"
require "openssl"

encryption_key  = OpenSSL::Cipher.new("aes-256-cfb").encrypt.random_key
encoded_enc_key = Base64.encode64 encryption_key

puts "Sample encryption key: #{encoded_enc_key}"

Uploading with your encryption key

To use customer-supplied encryption keys to upload an object:

gsutil

  1. Add the following option to the [GSUtil] section of your boto configuration file:

    encryption_key = [YOUR_ENCRYPTION_KEY]

    where [YOUR_ENCRYPTION_KEY] is the key for encrypting the uploaded file.

  2. Use the gsutil cp command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gsutil cp [LOCAL_OBJECT_LOCATION] gs://[DESTINATION_BUCKET_NAME]/

Client libraries

C#

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

private void UploadEncryptedFile(string key, string bucketName,
    string localPath, string objectName = null)
{
    var storage = StorageClient.Create();
    using (var f = File.OpenRead(localPath))
    {
        objectName = objectName ?? Path.GetFileName(localPath);
        storage.UploadObject(bucketName, objectName, null, f,
            new UploadObjectOptions()
            {
                EncryptionKey = EncryptionKey.Create(
                Convert.FromBase64String(key))
            });
        Console.WriteLine($"Uploaded {objectName}.");
    }
}

Go

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

obj := client.Bucket(bucket).Object(object)
// Encrypt the object's contents.
wc := obj.Key(secretKey).NewWriter(ctx)
if _, err := wc.Write([]byte("top secret")); err != nil {
	return err
}
if err := wc.Close(); err != nil {
	return err
}

Java

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

InputStream content = new ByteArrayInputStream("Hello, World!".getBytes(UTF_8));

BlobId blobId = BlobId.of(bucketName, blobName);
BlobInfo blobInfo = BlobInfo.newBuilder(blobId)
    .setContentType("text/plain")
    .build();
Blob blob = storage.create(blobInfo, content, BlobWriteOption.encryptionKey(encryptionKey));

Node.js

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

// Imports the Google Cloud client library
const Storage = require('@google-cloud/storage');

// The name of the bucket to access, e.g. "my-bucket"
// const bucketName = "my-bucket";

// The name of the local file to upload, e.g. "./local/path/to/file.txt"
// const srcFilename = "./local/path/to/file.txt";

// The path to which the file should be uploaded, e.g. "file_encrypted.txt"
// const destFilename = "file.txt";

// Instantiates a client
const storage = Storage();

const options = {
  // The path to which the file should be uploaded, e.g. "file_encrypted.txt"
  destination: destFilename,
  // Encrypt the file with a customer-supplied key, e.g. "my-secret-key"
  encryptionKey: Buffer.from(key, 'base64'),
};

// Encrypts and uploads a local file, e.g. "./local/path/to/file.txt".
// The file will only be retrievable using the key used to upload it.
storage
  .bucket(bucketName)
  .upload(srcFilename, options)
  .then(() => {
    console.log(
      `File ${srcFilename} uploaded to gs://${bucketName}/${destFilename}.`
    );
  })
  .catch(err => {
    console.error('ERROR:', err);
  });

PHP

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

use Google\Cloud\Storage\StorageClient;

/**
 * Upload an encrypted file.
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param resource $source the path to the file to upload.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 *
 * @return void
 */
function upload_encrypted_object($bucketName, $objectName, $source, $base64EncryptionKey)
{
    $storage = new StorageClient();
    $file = fopen($source, 'r');
    $bucket = $storage->bucket($bucketName);
    $object = $bucket->upload($file, [
        'name' => $objectName,
        'encryptionKey' => $base64EncryptionKey,
    ]);
    printf('Uploaded encrypted %s to gs://%s/%s' . PHP_EOL,
        basename($source), $bucketName, $objectName);
}

Python

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

def upload_encrypted_blob(bucket_name, source_file_name,
                          destination_blob_name, base64_encryption_key):
    """Uploads a file to a Google Cloud Storage bucket using a custom
    encryption key.

    The file will be encrypted by Google Cloud Storage and only
    retrievable using the provided encryption key.
    """
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    # Encryption key must be an AES256 key represented as a bytestring with
    # 32 bytes. Since it's passed in as a base64 encoded string, it needs
    # to be decoded.
    encryption_key = base64.b64decode(base64_encryption_key)
    blob = Blob(destination_blob_name, bucket, encryption_key=encryption_key)

    blob.upload_from_filename(source_file_name)

    print('File {} uploaded to {}.'.format(
        source_file_name,
        destination_blob_name))

Ruby

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

# project_id        = "Your Google Cloud project ID"
# bucket_name       = "Your Google Cloud Storage bucket name"
# local_file_path   = "Path to local file to upload"
# storage_file_path = "Path to store the file in Google Cloud Storage"
# encryption_key    = "AES-256 encryption key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project: project_id

bucket = storage.bucket bucket_name

file = bucket.create_file local_file_path, storage_file_path,
                          encryption_key: encryption_key

puts "Uploaded #{file.name} with encryption key"

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Add the object's data to the request body.
  3. Use cURL to call the JSON API with a POST Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X POST --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        "https://www.googleapis.com/upload/storage/v1/b/[BUCKET_NAME]/o?uploadType=media&name=[OBJECT_NAME]"

See Encryption request headers for more information on encryption-specific headers.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Add the object's data to the request body.
  3. Use cURL to call the XML API with a PUT Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X -i PUT --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

See Encryption request headers for more information on encryption-specific headers.

Downloading objects you've encrypted

To download an object stored in Cloud Storage that is encrypted with a customer-supplied encryption key:

gsutil

  1. Add the following option to the [GSUtil] section of your boto configuration file:

    decryption_key1 = [YOUR_ENCRYPTION_KEY]

    where [YOUR_ENCRYPTION_KEY] is the key used to encrypt the object when it was uploaded.

  2. Use the gsutil cp command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gsutil cp gs://[BUCKET_NAME]/[OBJECT_NAME] [OBJECT_DESTINATION]

Client libraries

C#

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

private void DownloadEncryptedObject(string key, string bucketName,
    string objectName, string localPath = null)
{
    var storage = StorageClient.Create();
    localPath = localPath ?? Path.GetFileName(objectName);
    using (var outputFile = File.OpenWrite(localPath))
    {
        storage.DownloadObject(bucketName, objectName, outputFile,
            new DownloadObjectOptions()
            {
                EncryptionKey = EncryptionKey.Create(
                    Convert.FromBase64String(key))
            });
    }
    Console.WriteLine($"downloaded {objectName} to {localPath}.");
}

Go

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

obj := client.Bucket(bucket).Object(object)
rc, err := obj.Key(secretKey).NewReader(ctx)
if err != nil {
	return nil, err
}
defer rc.Close()

data, err := ioutil.ReadAll(rc)
if err != nil {
	return nil, err
}

Java

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

byte[] content = storage.readAllBytes(
    bucketName, blobName, BlobSourceOption.decryptionKey(decryptionKey));

Node.js

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

// Imports the Google Cloud client library
const Storage = require('@google-cloud/storage');

// The name of the bucket to access, e.g. "my-bucket"
// const bucketName = "my-bucket";

// The name of the remote file to download, e.g. "file_encrypted.txt"
// const srcFilename = "file_encrypted.txt";

// The path to which the file should be downloaded, e.g. "./file.txt"
// const destFilename = "./file.txt";

// Instantiates a client
const storage = Storage();

const options = {
  // The path to which the file should be downloaded, e.g. "./file.txt"
  destination: destFilename,
};

// Descrypts and downloads the file. This can only be done with the key used
// to encrypt and upload the file.
storage
  .bucket(bucketName)
  .file(srcFilename)
  .setEncryptionKey(Buffer.from(key, 'base64'))
  .download(options)
  .then(() => {
    console.log(`File ${srcFilename} downloaded to ${destFilename}.`);
  })
  .catch(err => {
    console.error('ERROR:', err);
  });

PHP

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

use Google\Cloud\Storage\StorageClient;

/**
 * Download an encrypted file
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param string $destination the local destination to save the encrypted file.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 *
 * @return void
 */
function download_encrypted_object($bucketName, $objectName, $destination, $base64EncryptionKey)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $object = $bucket->object($objectName);
    $object->downloadToFile($destination, [
        'encryptionKey' => $base64EncryptionKey,
    ]);
    printf('Encrypted object gs://%s/%s downloaded to %s' . PHP_EOL,
        $bucketName, $objectName, basename($destination));
}

Python

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

def download_encrypted_blob(bucket_name, source_blob_name,
                            destination_file_name, base64_encryption_key):
    """Downloads a previously-encrypted blob from Google Cloud Storage.

    The encryption key provided must be the same key provided when uploading
    the blob.
    """
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    # Encryption key must be an AES256 key represented as a bytestring with
    # 32 bytes. Since it's passed in as a base64 encoded string, it needs
    # to be decoded.
    encryption_key = base64.b64decode(base64_encryption_key)
    blob = Blob(source_blob_name, bucket, encryption_key=encryption_key)

    blob.download_to_filename(destination_file_name)

    print('Blob {} downloaded to {}.'.format(
        source_blob_name,
        destination_file_name))

Ruby

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

# project_id     = "Your Google Cloud project ID"
# bucket_name    = "Your Google Cloud Storage bucket name"
# file_name      = "Name of file in Google Cloud Storage to download locally"
# local_path     = "Path to local file to save"
# encryption_key = "AES-256 encryption key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project: project_id

bucket = storage.bucket bucket_name

file = bucket.file storage_file_path, encryption_key: encryption_key
file.download local_file_path, encryption_key: encryption_key

puts "Downloaded encrypted #{file.name}"

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Use cURL to call the JSON API with a GET Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X GET \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        -o "[SAVE_TO_LOCATION]" \
        "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/o/[OBJECT_NAME]?alt=media"

See Encryption request headers for more information on encryption-specific headers.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Use cURL to call the XML API with a GET Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X GET \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [YOUR_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_YOUR_KEY]" \
        -o "[SAVE_TO_LOCATION]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

See Encryption request headers for more information on encryption-specific headers.

Rotating your encryption keys

To rotate a customer-supplied encryption key:

gsutil

  1. Add the following options to the [GSUtil] section of your boto configuration file, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    encryption_key = [NEW_ENCRYPTION_KEY]
    decryption_key1 = [OLD_ENCRYPTION_KEY]

  2. Use the gsutil rewrite command with the -k flag, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gsutil rewrite -k gs://[BUCKET-NAME]/[OBJECT_NAME]

Client libraries

Go

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

client, err := storage.NewClient(ctx)
if err != nil {
	return err
}
obj := client.Bucket(bucket).Object(object)
// obj is encrypted with key, we are encrypting it with the newKey.
_, err = obj.Key(newKey).CopierFrom(obj.Key(key)).Run(ctx)
if err != nil {
	return err
}

Java

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

BlobId blobId = BlobId.of(bucketName, blobName);
CopyRequest request = CopyRequest.newBuilder()
    .setSource(blobId)
    .setSourceOptions(BlobSourceOption.decryptionKey(oldEncryptionKey))
    .setTarget(blobId, BlobTargetOption.encryptionKey(newEncryptionKey))
    .build();
Blob blob = storage.copy(request).getResult();

PHP

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

use Google\Cloud\Storage\StorageClient;

/**
 * Change the encryption key used to store an existing object.
 *
 * @param string $bucketName the name of your Google Cloud bucket.
 * @param string $objectName the name of your Google Cloud object.
 * @param string $base64EncryptionKey the base64 encoded encryption key.
 * @param string $newBase64EncryptionKey the new base64 encoded encryption key.
 *
 * @return void
 */
function rotate_encryption_key(
    $bucketName,
    $objectName,
    $base64EncryptionKey,
    $newBase64EncryptionKey
) {
    $storage = new StorageClient();
    $object = $storage->bucket($bucketName)->object($objectName);

    $rewrittenObject = $object->rewrite($bucketName, [
        'encryptionKey' => $base64EncryptionKey,
        'destinationEncryptionKey' => $newBase64EncryptionKey,
    ]);

    printf('Rotated encryption key for object gs://%s/%s' . PHP_EOL,
        $bucketName, $objectName);
}

Python

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

def rotate_encryption_key(bucket_name, blob_name, base64_encryption_key,
                          base64_new_encryption_key):
    """Performs a key rotation by re-writing an encrypted blob with a new
    encryption key."""
    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)
    current_encryption_key = base64.b64decode(base64_encryption_key)
    new_encryption_key = base64.b64decode(base64_new_encryption_key)

    # Both source_blob and destination_blob refer to the same storage object,
    # but destination_blob has the new encryption key.
    source_blob = Blob(
        blob_name, bucket, encryption_key=current_encryption_key)
    destination_blob = Blob(
        blob_name, bucket, encryption_key=new_encryption_key)

    token = None

    while True:
        token, bytes_rewritten, total_bytes = destination_blob.rewrite(
            source_blob, token=token)
        if token is None:
            break

    print('Key rotation complete for Blob {}'.format(blob_name))

Ruby

For more on installing and creating a Cloud Storage client, refer to Cloud Storage Client Libraries.

# project_id             = "Your Google Cloud project ID"
# bucket_name            = "Your Google Cloud Storage bucket name"
# file_name              = "Name of a file in the Cloud Storage bucket"
# current_encryption_key = "Encryption key currently being used"
# new_encryption_key     = "New encryption key to use"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project: project_id
bucket  = storage.bucket bucket_name
file    = bucket.file file_name, encryption_key: current_encryption_key

file.rotate encryption_key:     current_encryption_key,
            new_encryption_key: new_encryption_key

puts "The encryption key for #{file.name} in #{bucket.name} was rotated."

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Use cURL to call the JSON API with a POST Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X POST --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [NEW_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_NEW_KEY]" \
        -H "x-goog-copy-source-encryption-algorithm: AES256" \
        -H "x-goog-copy-source-encryption-key: [OLD_ENCRYPTION_KEY]" \
        -H "x-goog-copy-source-encryption-key-sha256: [HASH_OF_OLD_KEY]" \
        "https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/o/[OBJECT_NAME]/rewriteTo/b/[BUCKET_NAME]/o/[OBJECT_NAME]"

See Encryption request headers for more information on encryption-specific headers.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Remove the original object from Cloud Storage. To do so, use cURL to call the XML API with a DELETE Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X DELETE \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"
  3. Add the object's data to a new request body.
  4. Use cURL to call the XML API with a PUT Object request, replacing [VALUES_IN_BRACKETS] with the appropriate values:
    curl -X -i PUT --data-binary @[OBJECT] \
        -H "Authorization: Bearer [OAUTH2_TOKEN]" \
        -H "Content-Type: [OBJECT_CONTENT_TYPE]" \
        -H "x-goog-encryption-algorithm: AES256" \
        -H "x-goog-encryption-key: [NEW_ENCRYPTION_KEY]" \
        -H "x-goog-encryption-key-sha256: [HASH_OF_NEW_KEY]" \
        "https://storage.googleapis.com/[BUCKET_NAME]/[OBJECT_NAME]"

See Encryption request headers for more information on encryption-specific headers.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Storage Documentation