Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Enkripsi data dan kunci enkripsi
Halaman ini memberikan informasi tentang enkripsi data di Google Cloud dan
kunci enkripsi.
Enkripsi data saat dalam pengiriman dan penyimpanan
Google Cloud mengaktifkan
enkripsi dalam pengiriman secara default untuk mengenkripsi
permintaan sebelum transmisi dan melindungi data mentah menggunakan protokol
Transport Layer Security (TLS).
Setelah data ditransfer ke Google Cloud untuk disimpan, Google Cloud
akan menerapkan enkripsi dalam penyimpanan secara
default. Untuk mendapatkan kontrol yang lebih besar atas cara data dienkripsi dalam penyimpanan,
Google Cloud pelanggan dapat menggunakan Cloud Key Management Service untuk membuat, menggunakan,
memutar, dan menghancurkan kunci enkripsi sesuai dengan kebijakan mereka sendiri. Kunci ini disebut kunci enkripsi yang dikelola pelanggan (CMEK).
Untuk paket kontrol tertentu, Assured Workloads dapat men-deploy project CMEK
bersama project resource Anda
saat Anda membuat folder Assured Workloads.
Sebagai alternatif untuk CMEK, Google-owned and Google-managed encryption keys, yang disediakan secara default,
sesuai dengan FIPS-140-2
dan dapat mendukung sebagian besar paket kontrol di
Workload Terjamin. Pelanggan dapat menghapus project CMEK dan hanya mengandalkan
Google-owned and Google-managed encryption keys. Namun, sebaiknya Anda memutuskan apakah akan
menggunakan kunci CMEK sebelum membuat folder Assured Workloads karena
penghapusan CMEK yang ada dan sedang digunakan dapat menyebabkan ketidakmampuan untuk mengakses atau memulihkan
data.
Kunci enkripsi yang dikelola pelanggan (Customer-Managed Encryption Key/CMEK)
Jika Anda memerlukan kontrol lebih besar atas kunci yang digunakan untuk mengenkripsi data dalam penyimpanan dalam
projectGoogle Cloud daripada yang disediakan oleh enkripsi default Google Cloud,layanan Google Cloud menawarkan kemampuan untuk melindungi data menggunakan
kunci enkripsi yang dikelola oleh pelanggan dalam Cloud KMS. Kunci enkripsi ini disebut kunci enkripsi yang dikelola pelanggan (CMEK).
Untuk mempelajari aspek siklus proses dan pengelolaan kunci yang disediakan CMEK, lihat Kunci enkripsi yang dikelola pelanggan (CMEK) dalam dokumentasi Cloud KMS. Untuk tutorial yang memandu Anda mengelola kunci dan data terenkripsi menggunakan Cloud KMS, lihat panduan memulai atau codelab.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-01 UTC."],[[["\u003cp\u003eGoogle Cloud employs default encryption for data both in transit, using TLS, and at rest, ensuring data protection.\u003c/p\u003e\n"],["\u003cp\u003eCustomers can utilize Cloud Key Management Service (Cloud KMS) to create, manage, rotate, and destroy their own encryption keys, known as customer-managed encryption keys (CMEK), for enhanced control over data at rest.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads offers the option to deploy a CMEK project alongside a resources project for specific control packages, allowing customers more control over data encryption.\u003c/p\u003e\n"],["\u003cp\u003eGoogle-owned and managed encryption keys, which are FIPS-140-2 compliant, are available as a default option and can support most control packages, but it is recommended that you choose between them or CMEK keys before creating your Assured Workloads folder.\u003c/p\u003e\n"],["\u003cp\u003eCloud KMS provides detailed information and guides on managing CMEK, including tutorials and quickstarts for users seeking to implement customer-managed encryption.\u003c/p\u003e\n"]]],[],null,["# Data encryption and encryption keys\n===================================\n\nThis page provides information about encryption of data on Google Cloud and\nabout encryption keys.\n\nEncryption in transit and at rest\n---------------------------------\n\nGoogle Cloud enables\n[encryption in transit](/security/encryption-in-transit) by default to encrypt\nrequests before transmission and to protect the raw data using the Transport\nLayer Security (TLS) protocol.\n\nOnce data is transferred to Google Cloud to be stored, Google Cloud\napplies [encryption at rest](/security/encryption/default-encryption) by\ndefault. To gain more control over how data is encrypted at rest,\nGoogle Cloud customers can use [Cloud Key Management Service](/kms) to generate, use,\nrotate, and destroy encryption keys according to their own policies. These keys\nare called customer-managed encryption keys ([CMEK](/kms/docs/cmek)).\n\nFor certain control packages, Assured Workloads can deploy a CMEK\nproject alongside your [resources project](/assured-workloads/docs/key-concepts#resources)\nwhen you create an Assured Workloads folder.\n\nAs an alternative to CMEK, Google-owned and Google-managed encryption keys, provided by default,\nare [FIPS-140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)\ncompliant and are able to support most control packages in\nAssured Workloads. Customers can delete the CMEK project and rely\nsolely on Google-owned and Google-managed encryption keys. We recommend, however, that you decide whether to\nuse CMEK keys before you create your Assured Workloads folder as\ndeletion of existing in-use CMEK can result in inability to access or recover\ndata.\n\nCustomer-managed encryption keys (CMEK)\n---------------------------------------\n\nIf you need more control over the keys used to encrypt data at rest within a\nGoogle Cloud project than what Google Cloud's default encryption\nprovides, Google Cloud services offer the ability to protect data by using\nencryption keys managed by the customer within Cloud KMS. These\nencryption keys are called customer-managed encryption keys (CMEK).\n\nTo learn which aspects of the lifecycle and management of your keys that CMEK\nprovides, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek) in\nCloud KMS documentation. For a tutorial that guides you through\nmanaging keys and encrypted data using Cloud KMS, see the\n[quickstart](/kms/docs/quickstart) or\n[codelab](https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms).\n\nWhat's next\n-----------\n\n- Learn more about [creating a symmetrical key with Cloud KMS](/kms/docs/creating-keys)."]]
