Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry deprecation and how to migrate to Artifact Registry, see Container Registry deprecation.
If you have compliance or regulatory requirements, you can encrypt your container
images using customer-managed encryption keys (CMEK). CMEK keys
are managed in Cloud Key Management Service. When you use CMEK, you can temporarily or
permanently disable access to an encrypted container image by disabling or
destroying the key.
Organization policy constraints
Organization policy constraints can affect usage of
Container Registry when they apply to services that Container Registry
uses.
Constraints for storage buckets
When the Cloud Storage API is in the Deny policy list for the
constraint constraints/gcp.restrictNonCmekServices, you cannot push images
to Container Registry. Container Registry does not use CMEK to create
storage buckets when the first image is pushed to a host, and you cannot
create the storage buckets manually.
If you need to enforce this organization policy constraint, consider
hosting your images in Artifact Registry instead. You can manually create
repositories in Artifact Registry that support requests to the gcr.io domain
so that you can continue to use your existing container image workflows. For
details, see
Transition to repositories with gcr.io domain support.
When constraints/gcp.restrictCmekCryptoKeyProjects is configured,
storage buckets must be encrypted with a CryptoKey from an allowed project,
folder, or organization. New buckets will use the configured key, but existing
buckets that are not compliant must be configured to use the required key by
default.
For more information about how constraints apply to Cloud Storage buckets,
see the Cloud Storage documentation about constraints.
Constraints for Pub/Sub topics
When you activate the Container Registry API in a
Google Cloud project, Container Registry tries to automatically create a
Pub/Sub topic with the topic ID gcr using Google-managed
encryption keys.
When the Pub/Sub API is in the Deny policy list for the
constraint constraints/gcp.restrictNonCmekServices, topics must be encrypted
with CMEK. Requests to create a topic without CMEK encryption will fail.
Container Registry is not directly integrated with Cloud KMS.
Instead, it is CMEK-compliant when you store
your container images in storage buckets
configured to use CMEK.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eContainer Registry uses Cloud Storage to store container images, and Cloud Storage encrypts data server-side by default.\u003c/p\u003e\n"],["\u003cp\u003eFor compliance, customer-managed encryption keys (CMEK) can be used to encrypt container images stored in Container Registry, allowing control over access by disabling or destroying the key.\u003c/p\u003e\n"],["\u003cp\u003eOrganization policy constraints, particularly those related to Cloud Storage and Pub/Sub APIs, can affect Container Registry usage, such as preventing image pushes or requiring CMEK for new storage buckets and Pub/Sub topics.\u003c/p\u003e\n"],["\u003cp\u003eIf \u003ccode\u003econstraints/gcp.restrictNonCmekServices\u003c/code\u003e is enforced, you cannot push images to Container Registry, and Artifact Registry is recommended as an alternative.\u003c/p\u003e\n"],["\u003cp\u003eContainer Registry can use CMEK by leveraging storage buckets configured with CMEK in Cloud Storage; however, this is impossible if \u003ccode\u003econstraints/gcp.restrictNonCmekServices\u003c/code\u003e is being used.\u003c/p\u003e\n"]]],[],null,["# Using customer-managed encryption keys\n\nContainer Registry stores container images in Cloud Storage. Cloud Storage\nalways [encrypts your data on the server side](/storage/docs/encryption/default-keys).\n\nIf you have compliance or regulatory requirements, you can encrypt your container\nimages using [customer-managed encryption keys (CMEK)](/kms/docs/cmek). CMEK keys\nare managed in Cloud Key Management Service. When you use CMEK, you can temporarily or\npermanently disable access to an encrypted container image by disabling or\ndestroying the key.\n\nOrganization policy constraints\n-------------------------------\n\n[Organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints) can affect usage of\nContainer Registry when they apply to services that Container Registry\nuses.\n\n### Constraints for storage buckets\n\n- When the Cloud Storage API is in the `Deny` policy list for the\n constraint `constraints/gcp.restrictNonCmekServices`, you cannot push images\n to Container Registry. Container Registry does not use CMEK to create\n storage buckets when the first image is pushed to a host, and you cannot\n create the storage buckets manually.\n\n If you need to enforce this organization policy constraint, consider\n hosting your images in Artifact Registry instead. You can manually create\n repositories in Artifact Registry that support requests to the `gcr.io` domain\n so that you can continue to use your existing container image workflows. For\n details, see\n [Transition to repositories with gcr.io domain support](/artifact-registry/docs/transition/setup-gcr-repo#analysis).\n- When `constraints/gcp.restrictCmekCryptoKeyProjects` is configured,\n storage buckets must be encrypted with a CryptoKey from an allowed project,\n folder, or organization. New buckets will use the configured key, but existing\n buckets that are not compliant must be configured to use the required key by\n default.\n\nFor more information about how constraints apply to Cloud Storage buckets,\nsee the [Cloud Storage documentation](/storage/docs/org-policy-constraints) about constraints.\n\n### Constraints for Pub/Sub topics\n\nWhen you activate the Container Registry API in a\nGoogle Cloud project, Container Registry tries to automatically create a\nPub/Sub topic with the topic ID `gcr` using Google-managed\nencryption keys.\n\nWhen the Pub/Sub API is in the `Deny` policy list for the\nconstraint `constraints/gcp.restrictNonCmekServices`, topics must be encrypted\nwith CMEK. Requests to create a topic without CMEK encryption will fail.\n\nTo create the `gcr` topic with CMEK encryption, see the Pub/Sub\n[instructions for encrypting topics](/pubsub/docs/encryption#using-cmek).\n\nConfiguring buckets to use CMEK\n-------------------------------\n\nContainer Registry is not directly integrated with Cloud KMS.\nInstead, it is [CMEK-compliant](/kms/docs/cmek#cmek_compliance) when you store\nyour container images in storage buckets\n[configured to use CMEK](/storage/docs/encryption/customer-managed-keys).\n| **Note:** When the Cloud Storage API is in the `Deny` policy list for the organization policy constraint [constraints/gcp.restrictNonCmekServices](#org-policy-storage), you cannot create and configure CMEK on Container Registry buckets.\n\n1. If you have not done so,\n [push an image to Container Registry](/container-registry/docs/pushing-and-pulling).\n The storage bucket does not use a CMEK key yet.\n\n2. In Cloud Storage,\n [configure the storage bucket](/storage/docs/encryption/using-customer-managed-keys)\n to use the CMEK key.\n\nThe bucket name for a registry host\nhas one of the following formats:\n\n- `artifacts.`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`.appspot.com` for images stored on the host `gcr.io`\n- \u003cvar translate=\"no\"\u003eSTORAGE-REGION\u003c/var\u003e`.artifacts.`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`.appspot.com` for images stored on `asia.gcr.io`, `eu.gcr.io`, or `us.gcr.io`.\n\nWhat's next?\n------------\n\n- Learn more about [managing Container Registry images](/container-registry/docs/managing).\n- Learn more about [CMEK](/kms/docs/cmek)\n- Learn more about [Cloud Storage](/storage/docs)"]]
