Granularity of default encryption for Google Cloud services
Stay organized with collections
Save and categorize content based on your preferences.
Each Google Cloud service splits data at a different level of granularity
for default encryption at rest.
This document describes the granularity of default encryption for customer
content for services. Customer content is data that you generate yourself or
provide to us, like data stored in Cloud Storage, disk snapshots used by
Compute Engine, and IAM policies. Customer content doesn't
include customer metadata, such as resource names. In some services, all
metadata is encrypted with a single DEK.
For more information about encryption options, including options that permit
logical data separation, see Keys in
Google Cloud.
Type
Google Cloud service
Granularity of customer data encryption (size of
data encrypted with a single DEK)
Storage
Bigtable
For each data chunk (several for each table)
Datastore
For each data chunk (not unique to a single customer)
Firestore
For each data chunk (not unique to a single customer)
Spanner
For each data chunk (several for each table)
Cloud SQL
Second generation: For each instance, as in Google
Compute Engine (each instance could contain multiple databases)
First generation: For each instance
Cloud Storage
For each data chunk (typically 256KB-8MB)
Compute
App Engine
For each data chunk (not unique to a single customer)
App Engine includes application code and application
settings. Data used in App Engine is stored in
Datastore, Cloud SQL, or Cloud Storage
depending on customer configurations.
Cloud Run functions
For each data chunk (not unique to a single customer)
Cloud Run functions includes function code, settings, and event
data. Event data is stored in Pub/Sub.
Compute Engine
Several for each disk
For each snapshot group, with individual snapshot ranges derived
from the snapshot group master key
For each image
Google Kubernetes Engine on Google Cloud
Several for each disk, like Compute Engine
Artifact Registry
Stored in Cloud Storage, for each data chunk
Data analysis
BigQuery
One or more for each table
Dataflow
Stored in Cloud Storage, for each data chunk
Dataproc
Stored in Cloud Storage, for each data chunk
Pub/Sub
Rotated every 30 days (not unique to a single customer)
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-21 UTC."],[[["Google Cloud services employ default encryption at rest, but the granularity of data encryption varies across services."],["Customer content, such as data in Cloud Storage, disk snapshots, and IAM policies, is subject to default encryption, whereas customer metadata may be encrypted with a single key across some services."],["Storage services like Bigtable and Spanner encrypt data at the chunk level per table, while services like Datastore and Firestore encrypt data chunks not uniquely tied to a single customer."],["Compute services like Compute Engine encrypt several data chunks for each disk, per snapshot group, and for each image, while data stored via Artifact Registry is encrypted per data chunk."],["Data analysis services like BigQuery encrypt data at least once per table, and data stored via Dataflow and Dataproc encrypt data at the chunk level."]]],[]]
