GCS CMEK - ghdrako/doc_snipets GitHub Wiki

https://cloud.google.com/sql/docs/mysql/cmek

All data in Google Cloud is encrypted at rest and in transit and there is no way to turn off the encryption. The encryption is done by Google using encryption keys that we manage, Google managed encryption keys or GMEK. We use two levels of encryption. First, the data is encrypted using a data encryption key, and then the data encryption key itself is then encrypted using a key encryption key or a KEK. These KEKs are automatically rotated on a schedule that use the current KEK stored in Cloud KMS, or the Key Management Service.

If you want to manage the KEK yourself, you can. Instead of Google managing the encryption key, you can control the creation and the existence of the KEK that is used. This is what we call customer managed encryption keys or CMEK. You can avoid Cloud KMS completely and supply your own encryption and rotation mechanism. This is called CSEK. Which data encryption option you use generally depend on your business, legal and regulatory requirements. So be sure to talk to your company's legal counsel.

The fourth encryption option is client-side encryption. Client-side encryption simply means that you've encrypted the data before it's uploaded and then you have to decrypt the data yourself before it's used. Google Cloud Storage still performs GMEK, CMEK, or CSEK encryption on the object. It has no knowledge of the extra layer of encryption that you might have added.