| sidebar | permalink | keywords | summary |
|---|---|---|---|
sidebar |
ehc/ncvs-gc-data-encryption-at-rest.html |
aes-256 encryption, cmek |
All volumes in Cloud Volumes Service are encrypted-at-rest using AES-256 encryption, which means all user data written to media is encrypted and can only be decrypted with a per-volume key. |
All volumes in Cloud Volumes Service are encrypted-at-rest using AES-256 encryption, which means all user data written to media is encrypted and can only be decrypted with a per-volume key.
-
For CVS-SW, Google-generated keys are used.
-
For CVS-Performance, the per-volume keys are stored in a key manager built into the Cloud Volumes Service.
Starting in November 2021, preview customer-managed encryption keys (CMEK) functionality was made available. This enables you to encrypt the per-volume keys with a per-project, per-region master key that is hosted in Google Key Management Service (KMS). KMS enables you to attach external key managers.
For information about configuring KMS for CVS-Performance, see Setting up customer-managed encryption keys.