Setup

By default, Cloud Storage encrypts customer content at rest. Cloud Storage handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Cloud Storage. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyoutrack key usage, view audit logs, andcontrol key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Cloud Storage resources is similar to using Google default encryption. For more information about CMEKs, see Customer-managed encryption keys (CMEK). To learn how to use manually-created CMEKs to protect your Cloud Storage resources, seeUse customer-managed encryption keys.

For more information about other encryption options when using Cloud Storage, seeData Encryption Options.

CMEK with Cloud KMS Autokey

You can either create CMEKs manually to protect your Cloud Storage buckets and the objects within them or use Cloud KMS Autokey. With Autokey, key rings and keys are generated on demand aspart of resource creation or update in Cloud Storage. Service agents that use the keys for encrypt and decrypt operations are created if they don't already exist and are granted the required Identity and Access Management (IAM) roles. For more information, seeAutokey overview.

Autokey doesn't create keysfor objects. By default, objects in a bucket use the bucket default key.If you want to encrypt an object using a key other than the bucket default key,you can manually create a CMEK and use that key when creating theobject.

To learn how to use CMEKs created byCloud KMS Autokey to protect your Cloud Storage buckets andthe objects within them, seeUsing Autokey with Cloud Storageresources.

When is the key used?

When you apply a CMEK to an object, Cloud Storage uses the key whenencrypting:

• The object's data.
• The object's CRC32C checksum.
• The object's MD5 hash.

Cloud Storage uses standardserver-side keys to encrypt theremainingmetadata for the object, including the object's name. Thus, ifyou have sufficientpermission, you can perform actions such as readingmost metadata, listing objects, and deleting objects even after you've disabledor destroyed the associated CMEK.

Note: Because most metadata can be read regardless of encryption method, donot include sensitive information in your object and bucket metadata or names.

Service agents

Each project has a special Cloud Storage service account called aservice agent that performs encryption and decryption with CMEKs. Once yougive the service agent access to an encryption key, that service agentencrypts:

• Objects added to a bucket thatuses the key as the default key.
• Specific objects that you indicate should beencrypted with that key.

When adding or rewriting an object in Cloud Storage, if you have both adefault key set on your bucket and a specific key included in your request,Cloud Storage uses the specific key to encrypt the object.

When a requester wants to read an object encrypted with a CMEK, they simplyaccess the object as they normally would. During such a request, the serviceagent automatically decrypts the requested object as long as:

• The service agent still has permission to decrypt using the key.
• You have not disabled or destroyed the key.

If one of these conditions is not met, the service agent does not decryptthe data, and the request fails.

Important: There is a delay between when youdisable a key and when thatkey no longer can be used to encrypt and decrypt objects. For information aboutthe typical length of the delay and ways to effectively shorten it,seeCloud KMS Resource Consistency.Caution: If youdestroy a key that encrypts existing objects, you will beunable to recover that data, but you continue to be charged for storage of yourobjects until you delete them. If you destroy a key, use the object metadatafieldkmsKeyName to identify objects that used the destroyed key, anddelete those objects.

Restrictions

The following restrictions apply when using CMEKs:

• You cannot encrypt an object with a CMEK by updating the object's metadata.Include the key as part of a rewrite of the object instead.

  • gcloud storage uses theobjects update command to set encryption keyson objects, but the command rewrites the object as part of the request.

• You must create the Cloud KMS key ring in the same location as thedata you intend to encrypt. For example, if your bucket is located inUS-EAST1, any key ring used for encrypting objects in that bucket mustalso be created inUS-EAST1.

  • Fordual-regions, the Cloud KMS key ring location mustmatch the dual-region's location code. For example, if your bucket islocated in the configurable dual-region pairUS-EAST1,US-WEST1, anykey ring used for encrypting objects in that bucket must be created in theUS multi-region, which matches this bucket's location code. If yourbucket is located in the predefined dual-regionNAM4, then you mustcreate the key ring in the same predefined dual-region,NAM4.

    For available Cloud KMS locations, seeCloud KMS locations.

• The CRC32C checksum and MD5 hash of objects encrypted with CMEKs are notreturned whenlisting objects with the JSON API.

  • When appropriate, some tools, such asgcloud storage, perform anadditional metadataGET request on each object encrypted with aCMEK in order to retrieve the CRC32C and MD5 information. These additionalrequests can make listing substantially slower than listing objectsencrypted with standard Cloud Storage encryption.

• Onlysymmetric encryption keys can be used as CMEKs.

Cloud KMS quotas and Cloud Storage

When you use CMEK in Cloud Storage,your projects can consume Cloud KMS cryptographic requestsquotas.

Encryption and decryption operationsusing CMEK keys affect Cloud KMS quotas in these ways:

• For software CMEK keys generated in Cloud KMS, no Cloud KMS quota is consumed.
• For hardware CMEK keys—sometimes called Cloud HSM keys—encryption and decryption operations count againstCloud HSM quotas in the project that contains the key.
• For external CMEK keys—sometimes called Cloud EKM keys—encryption and decryption operations count againstCloud EKM quotas in the project that contains the key.

For more information, seeCloud KMS quotas.

Relation to customer-supplied encryption keys

In addition to customer-managed encryption, Cloud Storage offersCustomer-Supplied Encryption Keys as a way of controlling your dataencryption. You can encrypt different objects in a single bucket with differentencryption methods, but note that:

• A single object can only be encrypted by one of these methods at a time.

• If you have a default CMEK set for your bucket and specify acustomer-supplied key in a request, Cloud Storage uses thecustomer-supplied key to encrypt the object.

Key management

This section discusses considerations when rotating keys, replacing keys, anddisabling or destroying key versions.

Key rotation

Cloud KMS supports both automatic and manualkey rotation to anewversion. After rotating a key, Cloud Storage uses the newversion for all operations that encrypt using the key, such as:

• Object uploads when the destination bucket uses the key as its defaultencryption key.

• Object upload, copy, and rewrite operations that specifically use thekey in the operation.

Previous versions of the key are not disabled or destroyed, soCloud Storage can still decrypt existing objects that were previouslyencrypted using those versions.

Key replacement

Use the following guidelines when replacing the key you use to encryptCloud Storage objects with a new key:

1. Check your buckets to see which use the key as their defaultencryption key. For these buckets, replace the old key with a new key.

   This ensures that all objects written to the bucket use the new keygoing forward.

2. Inspect your source code to understand which requests use the key in ongoingoperations, such as setting bucket configurations and uploading,copying, or rewriting objects. Update these instances to use the new key.

3. Check for objects, in all of your buckets, encrypted with the old key.Use theRewrite Object method to re-encrypt each object with the newkey.

4. Disable all versions of the old key. After disabling old key versions,monitor client and service logs for operations that fail due to a versionbecoming unavailable.

Disabling or destroying a key version

Caution: Except incertain cases involving locked objects,you can destroy a Cloud KMSkey version even if it's activelybeing used to encrypt Cloud Storage objects. Permanent loss of data canoccur if you destroy a key version that is still being used to encrypt objects.

• When youdisable ordestroy a specific key version, you cannotdecrypt any object that is currently encrypted with that key version.

  For example, you cannot download, copy, or rewrite the object, andattempting to do so results in an error.

  • If you disable a key version, you can re-enable it. Once re-enabled,you can access objects that were encrypted by that key version.

  • If you destroy a key version, downloads of objects encrypted with thatversion are never possible again.

  Before disabling or destroying a key version, you shouldidentify allobjects, in all buckets, that were encrypted using the specific key version.Once identified, use theRewrite Object method to re-encrypt eachobject using a new key version, a whole new key, orserver-side keys.

• When you disable or destroy theprimary version of a key, you cannot usethe key for encryption until you have a new primary version. For example,without a primary version:

  • You cannot specify the key as part of an object upload, copy, or rewrite.

  • You cannot upload, copy, or rewrite objects to a bucket that has the keyset as its default encryption keyunless you specify a different,valid key as part of the operation.

  Once you have a primary version for your key, operations that use the key toencrypt objects succeed.

  Before disabling or destroying a key version that is the primary version ofthe key, you should first stop using it as the primary version. You can doso by either:

  • Replacing it with a new primary version, typically byperforming a key rotation.
  • Removing instances where you use the key for encryption. When you do so,Cloud Storage usesserver-side keys for encryptioninstead.

Note: Key disablement and destruction take effect after some time.Cloud KMS documentation contains detailed information about thisbehavior.

Key versions and locked objects

If a key version encrypts an object that is locked, either because the object isstored in a bucket with alocked retention policy or because the objecthas its ownlocked retention configuration, the key version can only bedestroyed if the following conditions are met:

• The encrypted object'sretention expiration time must be in the past.
• The encrypted object must not have anyobject holds placed on it.

Once all relevant objects have met these conditions, it's possible to destroythe key version, even without deleting the objects. If you do so, affectedobject data becomes permanently inaccessible.

What's next

• Set CMEKs on your Cloud Storage buckets and objects.
• Learn more aboutencryption in Cloud Storage.
• Learn more aboutCloud KMS.