Client-side encryption keys
This page discussesclient-side encryption, which is any data encryption youperform prior to sending your data to Cloud Storage. For other encryption options,seeData Encryption Options.
When you perform client-side encryption, you must create and manage your ownencryption keys, and you must use your own tools to encrypt data prior tosending it to Cloud Storage. Data that you encrypt on the client side arrivesat Cloud Storage in an encrypted state, and Cloud Storage has no knowledgeof the keys you used to encrypt the data.
When Cloud Storage receives your data, it is encrypted a second time. Thissecond encryption is calledserver-side encryption, which Cloud Storagemanages. When you retrieve your data, Cloud Storage removes the server-sidelayer of encryption, but you must decrypt the client-side layer yourself.
You can use the open source cryptographic SDK, Tink, to perform client-sideencryption, then protect your keys with Cloud Key Management Service. For moredetails, seeClient-side encryption with Tink and Cloud Key Management Service.
Warning: Cloud Storage doesn't know if your data has already beenencrypted on the client side and has no knowledge of your client-side encryptionkeys. You must securely manage your client-side keys and ensure that they arenot lost. If you lose your keys, you are no longer able to read your data, andyou continue to be charged for storage of your objects until you delete them.Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.