Data Encryption techniques in Google Cloud (GMEK/CMEK/CSEK)

Vishal Bulbule
Google Cloud - Community
5 min readFeb 21


Encryption in Google Cloud

Why we need Encryption At Rest ?

Encryption at rest is a security measure that protects data while it is stored on disk or in a database. It involves encrypting data before it is written to disk or database, so that if the data is accessed by an unauthorized user or attacker, they will not be able to read the sensitive information.

Encryption at rest is particularly important for organizations that store sensitive data, such as personal information, financial records, or intellectual property. It can help protect against data breaches, theft, or unauthorized access. Encryption at rest is also often required to meet compliance standards, such as HIPAA, PCI DSS, or GDPR.

Here are some of the encryption methods available for Data at rest :

  1. Google-managed encryption keys (GMEK): All data that is stored by Google at rest is encrypted by default without any additional action using Google-managed keys, which are stored and managed by Google. There is no additional cost for Google-managed encryption keys.
  2. Customer-managed encryption keys (CMEK): This method allows customers to create and manage their own encryption keys in Google Cloud KMS, which are used to encrypt data at rest in Google Cloud Storage, Google BigQuery, Google Cloud SQL, and other services that support CMEK.
  3. Customer-supplied encryption keys (CSEK): This method allows customers to use their own encryption keys to encrypt data at rest in Google Cloud Storage and Google Compute disks. The keys are generated and managed by the customer, and are not stored in Google Cloud.

Encryption in Transit

Encryption in transit refers to the practice of encrypting data as it travels between systems, such as over a network or the internet. The goal is to prevent eavesdropping and tampering by malicious actors.

To implement encryption in transit, you can use various protocols and technologies, such as:

  1. HTTPS (HTTP Secure): This is a widely used protocol for secure communication over the web. It encrypts data using SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols, which provide encryption and authentication between client and server.
  2. SSL/TLS: These are protocols that provide secure communication over the internet. They use encryption to protect data in transit and provide authentication to ensure the identity of the communicating parties.
  3. SSH (Secure Shell): This is a protocol used for secure remote access to servers and other systems. It uses encryption to protect data and credentials in transit, as well as to authenticate the parties involved.
  4. VPN (Virtual Private Network): This is a technology that creates a secure and encrypted connection between two or more systems over the internet. It is often used to connect remote users to a corporate network securely.

How to Encrypt data using Customer managed Encryption Key(CMEK)

CMEK can be used to protect data at rest in a wide range of GCP services, helping to ensure that sensitive data remains confidential and secure. Ex. Google compute disks, Google cloud storage, BigQuery,Cloud SQL,Cloud Spanner ,GKE etc.

Compute Disks

  1. For the Cloud project that runs Cloud KMS, do the following:
    Enable the Cloud KMS API.
  2. Create a key ring and a key as described in Creating key rings and keys.
  3. Assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the Compute Engine Service Agent. This account has the following form:

gcloud kms keyrings create example-keyring \
--location us-central1

gcloud kms keys create example-key \
--location us-central1 \
--keyring example-keyring \
--purpose encryption

Encrypt Boot disk

In the Google Cloud console, go to the Create Instance
In boot disk section click on “Change

Click “Show advanced configurations

In “Encryption” section select Customer-managed Encryption Keys(CMEK)
Select KMS Key from Drop Down

Create Instance

Encrypt Additional Disk

#In the Google Cloud console, go to the Disks page.
#Go to Disks
#Click Create disk and enter the properties for the new disk.
#Under Encryption, select Customer-managed key.
#In the drop-down menu, select the Cloud KMS key that you want to use to encrypt this disk.

To create the disk, click Create.

Cloud Storage Bucket

#Go to setting

#Copy Service account

#Assign Cloud Storage service agent a role Cloud KMS CryptoKey Encrypter/Decrypter.

#In the list of buckets, click on the desired bucket.
#In the bucket details page, click on the Configuration tab.

#Click on the Pencil icon associated with the Encryption type entry.
Set or remove the default Cloud KMS key for the bucket.
#If the bucket isn’t currently using a Cloud KMS key, select the Customer-managed key radio button, then select one of the available keys in the associated drop-down menu.

How to Encrypt data using Customer supplied Encryption Key(CMEK)

**CSEK feature is available for Google cloud storage and Compute disks.

**Also CSEK feature is not available for India and Brazil countries project.

**CSEK key feature is on object level and not bucket level.

**You can not upload/download object using cloud console which encrypted using CSEK.

**Only option to use gsutil commands either from cloud shell or other syste.

  1. Create new encryption key, encoded in standard Base64 using below command in cloud shell
openssl rand -base64 32

2. Update .boto config file and add encryption key. Bot config file can be found in default directory if using cloud shell

3. Once .boto config file is updated , you can upload objects using gsutil cp command without any additional flag as it will fetch encryption key from .boto config file.

Please refer video demo on All encryption implementation



Vishal Bulbule
Google Cloud - Community

Google Cloud Architect || Believe in Learn , work and share knowledge !