Stay organized with collections
Save and categorize content based on your preferences.
Cloud Storage always encrypts your data on the server side, before it is
written to disk, at no additional charge. This page discusses the standard
encryption that Cloud Storage performs. For other encryption options,
see Data Encryption Options.
Cloud Storage manages server-side encryption keys on your behalf using
the same hardened key management systems that we use for our own encrypted data,
including strict key access controls and auditing. Cloud Storage
encrypts user data at rest using AES-256, in most cases using
Galois/Counter Mode (GCM). There is no setup or
configuration required, no need to modify the way you access the service, and
no visible performance impact. Data is automatically decrypted when read by an
authorized user.
For more information about how Google Cloud and Cloud Storage manage
encryption keys, see Default encryption at rest.
To protect your data as it travels over the Internet during read and write
operations, use Transport Layer Security, commonly known as TLS or HTTPS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Standard Cloud Storage encryption\n\nCloud Storage always encrypts your data on the server side, before it is\nwritten to disk, at no additional charge. This page discusses the standard\nencryption that Cloud Storage performs. For other encryption options,\nsee [Data Encryption Options](/storage/docs/encryption).\n\nCloud Storage manages server-side encryption keys on your behalf using\nthe same hardened key management systems that we use for our own encrypted data,\nincluding strict key access controls and auditing. Cloud Storage\nencrypts user data at rest using [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), in most cases using\n[Galois/Counter Mode (GCM)](http://wikipedia.org/wiki/Galois/Counter_Mode). There is no setup or\nconfiguration required, no need to modify the way you access the service, and\nno visible performance impact. Data is automatically decrypted when read by an\nauthorized user.\n\nFor more information about how Google Cloud and Cloud Storage manage\nencryption keys, see [Default encryption at rest](/docs/security/encryption/default-encryption).\n\nTo protect your data as it travels over the Internet during read and write\noperations, use Transport Layer Security, commonly known as TLS or HTTPS.\n\nWhat's next\n-----------\n\n- Learn more about [Choosing an encryption option](/storage/docs/encryption).\n\n- For more information about how Google-owned and Google-managed encryption keys are rotated, managed,\n and stored, see [Key management](/docs/security/encryption/default-encryption#key_management).\n\n- See [Encryption at the storage system layer](/docs/security/encryption/default-encryption#hardware) to learn about the\n encryption modes that are used in Google Cloud."]]
