Data encryption options (original) (raw)

Data encryption options

Stay organized with collections Save and categorize content based on your preferences.

Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge. Besides thisstandard, Cloud Storage behavior, there are additional ways to encrypt your data when using Cloud Storage. Below is a summary of the encryption options available to you:

Server-side encryption: encryption that occurs after Cloud Storage receives your data, but before the data is written to disk and stored.

• Customer-managed encryption keys (CMEKs): You can create and manage your encryption keys through Cloud Key Management Service. CMEKs can be stored as software keys, in an HSM cluster, or externally.
• Customer-supplied encryption keys: You can create and manage your own encryption keys. These keys act as an additional encryption layer on top of the standard Cloud Storage encryption.

Client-side encryption: encryption that occurs before data is sent to Cloud Storage. Such data arrives at Cloud Storage already encrypted but also undergoes server-side encryption.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-06-12 UTC.