Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Criptografia de dados e chaves de criptografia
Esta página contém informações sobre a criptografia de dados no Google Cloud e
sobre chaves de criptografia.
Criptografia em trânsito e em repouso
OGoogle Cloud permite a
criptografia em trânsito por padrão para criptografar
solicitações antes da transmissão e proteger os dados brutos usando o protocolo Transport
Layer Security (TLS).
Assim que os dados são transferidos para Google Cloud para serem armazenados, Google Cloud
aplica a criptografia em repouso por
padrão. Para ter mais controle sobre como os dados são criptografados em repouso,
Google Cloud os clientes podem usar o Cloud Key Management Service para gerar, usar,
alternar e destruir chaves de criptografia de acordo com as próprias políticas. Essas chaves
são chamadas de chaves de criptografia gerenciadas pelo cliente (CMEK, na sigla em inglês).
Para determinados pacotes de controle, o Assured Workloads pode implantar um projeto de
CMEK junto com seu projeto de recursos
ao criar uma pasta do Assured Workloads.
Como alternativa ao CMEK,as Google-owned and Google-managed encryption keys, fornecidas por padrão,
são compatíveis com FIPS-140-2
e podem ser usadas com a maioria dos pacotes de controle no
Assured Workloads. Os clientes podem excluir o projeto de CMEK e confiar
exclusivamente em Google-owned and Google-managed encryption keys. No entanto, recomendamos que você decida se
vai usar as chaves CMEK antes de criar a pasta Assured Workloads, porque
a exclusão de uma CMEK em uso pode resultar na incapacidade de acessar ou recuperar
dados.
Chaves de criptografia gerenciadas pelo cliente (CMEK, na sigla em inglês)
Se você precisar de mais controle sobre as chaves usadas para criptografar dados em repouso em um projeto doGoogle Cloud do que a criptografia padrão do Google Cloud,os serviços Google Cloud oferecem a capacidade de proteger dados usando chaves de criptografia gerenciadas pelo cliente no Cloud KMS. Essas chaves de criptografia são chamadas de chaves de criptografia gerenciadas pelo cliente (CMEK, na sigla em inglês).
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Cloud employs default encryption for data both in transit, using TLS, and at rest, ensuring data protection.\u003c/p\u003e\n"],["\u003cp\u003eCustomers can utilize Cloud Key Management Service (Cloud KMS) to create, manage, rotate, and destroy their own encryption keys, known as customer-managed encryption keys (CMEK), for enhanced control over data at rest.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads offers the option to deploy a CMEK project alongside a resources project for specific control packages, allowing customers more control over data encryption.\u003c/p\u003e\n"],["\u003cp\u003eGoogle-owned and managed encryption keys, which are FIPS-140-2 compliant, are available as a default option and can support most control packages, but it is recommended that you choose between them or CMEK keys before creating your Assured Workloads folder.\u003c/p\u003e\n"],["\u003cp\u003eCloud KMS provides detailed information and guides on managing CMEK, including tutorials and quickstarts for users seeking to implement customer-managed encryption.\u003c/p\u003e\n"]]],[],null,["# Data encryption and encryption keys\n===================================\n\nThis page provides information about encryption of data on Google Cloud and\nabout encryption keys.\n\nEncryption in transit and at rest\n---------------------------------\n\nGoogle Cloud enables\n[encryption in transit](/security/encryption-in-transit) by default to encrypt\nrequests before transmission and to protect the raw data using the Transport\nLayer Security (TLS) protocol.\n\nOnce data is transferred to Google Cloud to be stored, Google Cloud\napplies [encryption at rest](/security/encryption/default-encryption) by\ndefault. To gain more control over how data is encrypted at rest,\nGoogle Cloud customers can use [Cloud Key Management Service](/kms) to generate, use,\nrotate, and destroy encryption keys according to their own policies. These keys\nare called customer-managed encryption keys ([CMEK](/kms/docs/cmek)).\n\nFor certain control packages, Assured Workloads can deploy a CMEK\nproject alongside your [resources project](/assured-workloads/docs/key-concepts#resources)\nwhen you create an Assured Workloads folder.\n\nAs an alternative to CMEK, Google-owned and Google-managed encryption keys, provided by default,\nare [FIPS-140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)\ncompliant and are able to support most control packages in\nAssured Workloads. Customers can delete the CMEK project and rely\nsolely on Google-owned and Google-managed encryption keys. We recommend, however, that you decide whether to\nuse CMEK keys before you create your Assured Workloads folder as\ndeletion of existing in-use CMEK can result in inability to access or recover\ndata.\n\nCustomer-managed encryption keys (CMEK)\n---------------------------------------\n\nIf you need more control over the keys used to encrypt data at rest within a\nGoogle Cloud project than what Google Cloud's default encryption\nprovides, Google Cloud services offer the ability to protect data by using\nencryption keys managed by the customer within Cloud KMS. These\nencryption keys are called customer-managed encryption keys (CMEK).\n\nTo learn which aspects of the lifecycle and management of your keys that CMEK\nprovides, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek) in\nCloud KMS documentation. For a tutorial that guides you through\nmanaging keys and encrypted data using Cloud KMS, see the\n[quickstart](/kms/docs/quickstart) or\n[codelab](https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms).\n\nWhat's next\n-----------\n\n- Learn more about [creating a symmetrical key with Cloud KMS](/kms/docs/creating-keys)."]]
