Home / Google Cloud / Data Encryption options in Google cloud storage

Data Encryption options in Google cloud storage

Last updated on May 11th, 2023

Estimated reading time: 4 minutes

Data encryption in cloud storage is the process of encoding data so that unauthorized parties cannot access it.This is important for protecting sensitive information that may be stored in cloud storage services.

Google Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge.

Client-side data encryption

If you are new to Google cloud platform refer article to create tier account here Google cloud free tier account – Full Stack Tutorials Hub . Free Tier account provides 300 $ credit to learn and explore google cloud services.

Encryption that occurs before data is sent to Cloud Storage is called client-side data encryption. Client-side data encryption is performed by user before uploading data to Google cloud storage. Data arrives at Cloud Storage already encrypted but also undergoes server-side encryption.

Google cloud platform does not know about encryption keys.

Google cloud platform does not involve in encryption and decryption process.

Google Managed Keys: Server-side encryption

Encryption that occurs after Cloud Storage receives your data, but before the data is written to disk and stored is called server-side data encryption.

Google Managed Keys are default server-side encryption option. This option is configured at storage bucket level.

create bucket

Cloud Storage manages server-side encryption keys on your behalf.There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Data is automatically decrypted when read by an authorized user

Customer-Managed Keys: Server-side encryption

You can create and manage your encryption keys through google cloud key management service. If you need more control over key operations than what Google managed keys offers you can use customer-managed encryption keys.

These keys are created and managed using cloud KMS.When using a customer-managed encryption key, an object is encrypted with the key by Cloud Storage at the time it’s stored in a bucket, and the object is automatically decrypted by Cloud Storage when the object is served to requesters.

In google cloud console search for Key management service and enable Cloud Key management service API.

key management service API

Click on create new key ring.

Regional Key Ring

Generate and new key to Key Ring. Specify Key generation algorithm and other required details.

Search storage bucket click on edit configuration and assign customer managed key. Cloud Storage service account must have access to this managed key.

Customer-Supplied Keys: Server-side encryption

As an additional layer on top of Google managed keys you can choose to provide your own AES-256 encryption key, encoded in standard Base64 .This key is known as a customer-supplied encryption key. If you provide a customer-supplied encryption key, Cloud Storage does not permanently store your key on Google’s servers or otherwise manage your key.

When you use a customer-supplied encryption key and work directly with the JSON or XML API, you must provide both the AES-256 key and a SHA256 hash of the key. This data can be passed using API headers when making API calls.

Scroll to Top