Cloud Firestore automatically encrypts all data before it is written to disk.There is no setup or configuration required and no need to modify the way youaccess the service. The data is automatically and transparently decrypted whenread by an authorized user.

Key management

With server-side encryption, you can either let Google manage cryptographickeys on your behalf or use customer-managed encryption keys (CMEK) to managethe keys yourself.

By default, Google manages cryptographic keys on your behalf using the samehardened key management systems that we use for our own encrypted data,including strict key access controls and auditing. EachCloud Firestore object's data and metadata isencrypted and each encryption key is itself encryptedwith a regularly rotated set of master keys.

For information about managing keys yourself, seeCMEK forCloud Firestore.

Client-side encryption

Server-side encryption can be used in combination with client-side encryption.In client-side encryption, you manage your own encryption keys and encrypt databefore writing it toCloud Firestore. In this case, your data isencrypted twice, once with your keys and once with the server-side keys.

To protect your data as it travels over the Internet during read and writeoperations, we use Transport Layer Security (TLS). For more information aboutthe supported TLS versions, seeEncryption in transit inGoogle Cloud.

What's next

For more information about encryption at rest forCloud Firestore andotherGoogle Cloud products, seeEncryption at Rest inGoogle Cloud.