By default, Compute Engineencrypts customer content at rest.Compute Engine automatically uses Google-owned and Google-managed encryption keysto encrypt your data.

However, you can customize the encryption Compute Engineuses for your resources by providingkey encryption keys (KEKs).Key encryption keys don't directly encrypt your data, but encrypt theGoogle-owned and managed keys that Compute Engineuses to encrypt your data.

You have two options to provide key encryption keys:

• Recommended. Use customer-managed encryption keys(CMEKs) inCloud KMS with Compute Engine. UsingCloud KMS keys gives you control over their protection level, location, rotationschedule, usage and access permissions, and cryptographic boundaries.Using Cloud KMS also letsyoutrack key usage, view audit logs, andcontrol key life cycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs)that protect your data, you control and manage these keys in Cloud KMS.

  You can create CMEKs manually, or you can useCloud KMS Autokeyto have them created automatically on your behalf.

  In most cases, after you create a CMEK-encrypted disk, you don't need tospecify the key when working with the disk.

• You can manage your own key encryption keys outside of Compute Engine,and provide the key whenever youcreate or manage a disk. This option is known ascustomer-supplied encryption keys (CSEKs). When you manage CSEK-encryptedresources, you must alwaysspecify the key you used when encrypting the resource.

For more information about each encryption type, seeCustomer-managed encryption keys andCustomer-supplied encryption keys.

To add an additional layer of security to your Hyperdisk Balanced disks, enableConfidential mode. Confidential mode adds hardware-basedencryption to your Hyperdisk Balanced disks.

Supported disk types

This section lists the supported encryption types for disks and other storageoptions offered by Compute Engine.

• Persistent Disk volumes supportGoogle-owned and managed keys, CMEKs and CSEKs.

• Google Cloud Hyperdisk support CMEKs andGoogle-owned and managed keys. You can't use CSEKs to encryptHyperdisks.

• Local SSD disks only supportGoogle-owned and managed keys. You can't use CSEKs orCMEKs to encrypt Local SSD disks.

• Disk clones andmachine images supportGoogle-owned and managed keys,CMEKs, and CSEKs.

• Standard snapshots andinstant snapshots supportGoogle-owned and managed keys, CMEKs, and CSEKs.

Rotation for Google-owned and managed keys and CMEKs

Compute Engine rotates the Google-owned and managed keysused to protect your data on a yearly basis. Key rotation is an industry bestpractice for data security that limits the potential impact of a compromised key.

If you use CMEKs, Google recommends that you enable automatic rotation for your disks.For more information, seeRotate your Cloud KMS encryption key for a disk.

CMEK with Cloud KMS Autokey

If you choose to use Cloud KMS keys to protect yourCompute Engine resources, you can either create CMEKs manually or use Cloud KMS Autokey to create the keys.With Autokey, key rings and keys are generated on demand as part of resourcecreation in Compute Engine. Service agents that use the keys for encryptand decrypt operations are created if they don't already exist and are grantedthe required Identity and Access Management (IAM) roles. For more information, seeAutokey overview.

To learn how to use CMEKs created by Cloud KMS Autokey to protect yourCompute Engine resources, seeUsing Autokey with Compute Engineresources.

Snapshots

When using Autokey to create keys to protect your Compute Engineresources, Autokey doesn't create new keys for snapshots. You must encrypt asnapshot with the same key used to encrypt the source disk. If you create asnapshot using the Google Cloud console, the encryption key used by the diskis automatically applied to the snapshot. If you create a snapshot using thegcloud CLI, Terraform, or the Compute Engine API, you mustget the resource identifier of the key used to encrypt the disk and then usethat key to encrypt the snapshot.

Encrypt disks with customer-managed encryption keys

For more information about how to use manually-created customer-managedencryption keys (CMEK) to encrypt disks and other Compute Engine resources,seeProtect resources by using Cloud KMS keys.

Encrypt disks with customer-supplied encryption keys

To learn how to use customer-supplied encryption keys (CSEK) to encryptdisks and other Compute Engine resources, seeEncrypting disks with customer-supplied encryption keys.

View a disk's encryption type

To view a disk's encryption type, follow the steps inView information about a disk's encryption.

Confidential mode for Hyperdisk Balanced

If you useConfidential Computing,you can extend the hardware-based encryption to your Hyperdisk Balanced volumes by enablingConfidential mode.

Confidential mode for your Hyperdisk Balanced volumes lets you enable additional securitywithout having to refactor the application. Confidential mode is a property thatyou can specify when you create a new Hyperdisk Balanced volume.

Hyperdisk Balanced volumes in Confidential mode can only be used with Confidential VMs.

To create a Hyperdisk Balanced volume in Confidential mode, follow the steps inCreate a Hyperdisk Balanced volume in Confidential mode.

Supported machine types for Hyperdisk Balanced volumes in Confidential mode

Hyperdisk Balanced volumes in Confidential mode can only be used with Confidential VMsthat use theN2D machine type.

Supported regions for Hyperdisk Balanced volumes in Confidential mode

Confidential mode for Hyperdisk Balanced volumes is available in the following regions:

• europe-west4
• us-central1
• us-east4
• us-east5
• us-south1
• us-west4

Limitations for Hyperdisk Balanced volumes in Confidential mode

• Hyperdisk Extreme, Hyperdisk Throughput, Hyperdisk ML, and Hyperdisk Balanced High Availability don't support Confidential mode.
• You can't suspend or resume a VM that uses Hyperdisk Balanced volumes in Confidentialmode.
• You can't use Hyperdisk Storage Pools with Hyperdisk Balanced volumes in Confidential mode.
• You can't create a machine image or a custom image from a Hyperdisk Balanced volume inConfidential mode.

What's next

• To learn how to automate the creation of CMEKs, seeCloud KMS with Autokey (Preview).
• To learn how to create CMEKs, seeCreate encryption keys with Cloud KMS.
• Encrypt a disk withcustomer-managed encryption keys (CMEKs).
• To create a Hyperdisk Balanced volume in Confidential mode, seeCreate a Hyperdisk Balanced volume in Confidential mode.
• Learn moreabout the format and specification for CSEKs.