Stay organized with collections
Save and categorize content based on your preferences.
Cloud Deploy, along with its dependent services, lets you manage
your own encryption keys for storage and transit of any user data.
Cloud Deploy data
Cloud Deploy stores resource data encrypted. This storage does not include
any user data.
Cloud Deploy dependent services can use customer-managed encryption keys.
The sections that follow address the practices of each dependent service.
Cloud Build
Render and deploy operations are performed through Cloud Build,
which is CMEK compliant. For more information on configuring Cloud Build
to be CMEK compliant, see the Cloud Build documentation.
Rendering source and rendered manifests are stored in Cloud Storage
buckets.
Cloud Build stores its logs using Cloud Logging,
and Cloud Deploy explicitly turns off Cloud Storage logging
for use with Cloud Deploy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCloud Deploy allows for the management of encryption keys for both data storage and transit, ensuring the security of user data.\u003c/p\u003e\n"],["\u003cp\u003eCloud Deploy relies on Cloud Build for rendering and deployment operations, which is compliant with Customer-Managed Encryption Keys (CMEK), and its associated logs are stored in Cloud Logging.\u003c/p\u003e\n"],["\u003cp\u003eUtilizing custom Cloud Storage buckets, configured for CMEK, is essential for employing CMEK with Cloud Deploy, involving the specification of storage locations for rendering source files and rendered manifests.\u003c/p\u003e\n"],["\u003cp\u003ePub/Sub topics used by Cloud Deploy for publishing notifications can be configured to use customer-managed encryption keys, enhancing data protection.\u003c/p\u003e\n"],["\u003cp\u003eCloud Deploy and its services utilize Cloud Logging, which can be configured for CMEK, providing a secure logging environment.\u003c/p\u003e\n"]]],[],null,["# Use customer-managed encryption keys\n\nCloud Deploy, along with its dependent services, lets you manage\nyour own encryption keys for storage and transit of any user data.\n\nCloud Deploy data\n-----------------\n\nCloud Deploy stores resource data encrypted. This storage does not include\nany user data.\n\nCloud Deploy dependent services can use customer-managed encryption keys.\nThe sections that follow address the practices of each dependent service.\n\nCloud Build\n-----------\n\nRender and deploy operations are performed through Cloud Build,\nwhich is CMEK compliant. For more information on configuring Cloud Build\nto be CMEK compliant, see the [Cloud Build documentation](https://cloud.google.com/build/docs/securing-builds/cmek).\n\nRendering source and rendered manifests are stored in [Cloud Storage\nbuckets](#gcs).\nCloud Build stores its logs using [Cloud Logging](#logging),\nand Cloud Deploy explicitly turns off Cloud Storage logging\nfor use with Cloud Deploy.\n\nCloud Storage\n-------------\n\nTo use CMEK with Cloud Deploy, you need to use custom\nCloud Storage buckets and [configure those buckets for CMEK](/storage/docs/encryption/customer-managed-keys).\n\nTo specify your custom, CMEK-managed Cloud Storage buckets for use with\nCloud Deploy:\n\n- Include the [`--gcs-source-staging-dir`](https://cloud.google.com/sdk/gcloud/reference/deploy/releases/create#--gcs-source-staging-dir)\n flag on the `gcloud deploy releases create` command.\n\n This flag identifies the Cloud Storage bucket in which to store the\n rendering source files.\n- [Change the storage location](/deploy/docs/execution-environment#changing_the_storage_location)\n in your Cloud Deploy execution environment.\n\n This setting identifies the Cloud Storage bucket in which to store your\n rendered manifests.\n\nPub/Sub topics\n--------------\n\nCloud Deploy [uses Pub/Sub to publish notifications\nto topics](/deploy/docs/subscribe-deploy-notifications). You can\n[configure these topics to use customer-managed encryption keys](/pubsub/docs/encryption#using-cmek).\n\nLogging\n-------\n\nCloud Deploy and its dependent services publish logs to\nCloud Logging, part of Google Cloud Observability.\n\nYou can [configure Logging for CMEK](/logging/docs/routing/managed-encryption-storage)."]]
