This page discusses client-side encryption, which is any data encryption you perform prior to sending your data to Cloud Storage.
When you perform client-side encryption, you must create and manage your own encryption keys, and use your own tools to encrypt data prior to sending it to Cloud Storage. Data that you encrypt on the client side arrives at Cloud Storage in an encrypted state. Google Distributed Cloud (GDC) air-gapped has no knowledge of the keys you use to encrypt the data.
When GDC receives your data, it encrypts the data a second time. This second encryption is server-side encryption, which GDC manages. When you retrieve your data, GDC removes the server-side layer of encryption. You must decrypt the client-side layer yourself.
Use multiple encryption methods
Depending on your requirements, use more than one encryption method at a time. For example:
- Use a KMS to protect appliance nodes and also use a drive security feature to double encrypt data on the self-encrypting drives in the same appliances.
- Use a KMS to secure data on appliance nodes and also an option to encrypt all objects when they are ingested.
If only a small portion of your objects require encryption, consider controlling encryption at the bucket or individual object level instead. Enabling multiple levels of encryption has an additional performance cost.
GDC data encryption
GDC Storage encrypts your data on the server side, before it writes the data to disk, at no additional charge. Besides this standard, Google-managed behavior, there are additional ways to encrypt your data when using GDC Storage.
An encryption option available to you is the client-side encryption, an encryption that occurs before data goes to GDC Storage. Such data arrives at GDC Storage encrypted, and undergoes server-side encryption.