Security and encryption

Database Migration Service protects your data during and after migration. The following security and encryption features ensure the safety of your migration:

  • Customer-managed encryption keys (CMEK) encrypt data at rest.
  • Encryption methods, such as SSL/TLS certificates and Private Service Connect, secure network connections between the source and destination databases.
  • Identity and Access Management (IAM) practices ensure access control.

Homogeneous and heterogeneous migrations have different security options. For homogeneous migrations, destination databases support CMEK natively while heterogeneous migrations require Database Migration Service to additionally encrypt data at rest during conversion to a temporary database.

Learn more in the sections that follow:

Secure homogeneous migrations

Select your homogeneous migration scenario to view security and encryption options that your migration supports:

MySQL to Cloud SQL for MySQL

CMEK

You can migrate to Cloud SQL destinations where you configure CMEK to secure your data. For more information, see Use customer-managed encryption keys (CMEK) in the Cloud SQL documentation.

Secure network connectivity

Database Migration Service supports SSL/TLS connectivity for your migration. You can upload your own encryption certificates when you create the source connection profile. For more information, see Create a source connection profile.

IAM

With IAM, you can control access to your migration resources. For more information, see IAM authentication.

PostgreSQL to Cloud SQL for PostgreSQL

CMEK

You can migrate to Cloud SQL destinations where you configure CMEK to secure your data. For more information, see Use customer-managed encryption keys (CMEK) in the Cloud SQL documentation.

Secure network connectivity

Database Migration Service supports SSL/TLS connectivity for your migration. You can upload your own encryption certificates when you create the source connection profile. For more information, see Create a source connection profile.

IAM

With IAM, you can control access to your migration resources. For more information see IAM authentication.

PostgreSQL to AlloyDB for PostgreSQL

CMEK

You can migrate to AlloyDB destinations where you configure CMEK to secure your data. For more information, see About CMEK in the AlloyDB documentation.

Secure network connectivity

Database Migration Service supports SSL/TLS connectivity for your migration. You can upload your own encryption certificates when you create the source connection profile. For more information, see Create a source connection profile.

IAM

With IAM, you can control access to your migration resources. For more information, see Manage IAM authentication.

SQL Server to Cloud SQL for SQL Server

CMEK

You can migrate to Cloud SQL destinations where you configure CMEK to secure your data. For more information, see Use customer-managed encryption keys (CMEK) in the Cloud SQL documentation.

Migrate encrypted databases

Database Migration Service supports migrating encrypted columns. For more information, see Use encrypted SQL Server backup files.

IAM

With IAM, you can control access to your migration resources. For more information, see IAM authentication

Secure heterogeneous migrations

Select your heterogeneous migration scenario to view security and encryption options that your migration supports:

Oracle to Cloud SQL for PostgreSQL

CMEK

Database Migration Service supports CMEK in the migration job to secure the data at rest. For more information, see Use customer-managed encryption keys (CMEK) for continuous migrations.

Connectivity encryption

Database Migration Service supports SSL/TLS connectivity for your migration as well as other methods that accommodate differences in network access, such as IP allowlisting or using a forward SSH tunnel. For more information, see Create connection profiles.

IAM

With IAM, you can control access to your migration resources. For more information, see Access control with IAM.

Oracle to AlloyDB for PostgreSQL

CMEK

Database Migration Service supports CMEK in the migration job to secure the data at rest. For more information, see Use customer-managed encryption keys (CMEK) for continuous migrations.

Connectivity encryption

Database Migration Service supports SSL/TLS connectivity for your migration as well as other methods that accommodate differences in network access, such as IP allowlisting or using a forward SSH tunnel. For more information, see Create connection profiles.

IAM

With IAM, you can control access to your migration resources. For more information, see Access control with IAM.