Standard Cloud Storage encryption
Cloud Storage always encrypts your data on the server side, before it iswritten to disk, at no additional charge. This page discusses the standardencryption that Cloud Storage performs. For other encryption options,seeData Encryption Options.
Cloud Storage manages server-side encryption keys on your behalf usingthe same hardened key management systems that we use for our own encrypted data,including strict key access controls and auditing. Cloud Storageencrypts user data at rest usingAES-256, in most cases usingGalois/Counter Mode (GCM). There is no setup orconfiguration required, no need to modify the way you access the service, andno visible performance impact. Data is automatically decrypted when read by anauthorized user.
For more information about how Google Cloud and Cloud Storage manageencryption keys, seeDefault encryption at rest.
To protect your data as it travels over the Internet during read and writeoperations, use Transport Layer Security, commonly known as TLS or HTTPS.
What's next
Learn more aboutChoosing an encryption option.
For more information about how Google-owned and Google-managed encryption keys are rotated, managed,and stored, seeKey management.
SeeEncryption at the storage system layer to learn about theencryption modes that are used in Google Cloud.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.