Each Google Cloud service splits data at a different level of granularity
for encryption. This document describes the granularity of encryption for
customer content for services. Customer content is data that you generate
yourself or provide to us, like data stored in Cloud Storage, disk snapshots
used by Compute Engine, and IAM policies. Customer content
doesn't include customer metadata, such as resource names. In some services, all
metadata is encrypted with a single DEK.
Type
|
Google Cloud service
|
Granularity of customer data encryption
(size of
data encrypted with a single DEK)
|
Storage
|
Bigtable
|
For each data chunk (several for each table)
|
Datastore
|
For each data chunk (not unique to a single customer)
|
Firestore
|
For each data chunk (not unique to a single customer)
|
Spanner
|
For each data chunk (several for each table)
|
Cloud SQL
|
- Second generation: For each instance, as in Google
Compute Engine (each instance could contain multiple databases)
- First generation: For each instance
|
Cloud Storage
|
For each data chunk (typically 256KB-8MB)
|
Compute
|
App Engine
|
For each data chunk (not unique to a single customer)
App Engine includes application code and application
settings. Data used in App Engine is stored in
Datastore, Cloud SQL, or Cloud Storage
depending on customer configurations.
|
Cloud Functions
|
For each data chunk (not unique to a single customer)
Cloud Functions includes function code, settings, and event
data. Event data is stored in Pub/Sub.
|
Compute Engine
|
- For each snapshot group, with individual snapshot ranges derived
from the snapshot group master key
|
Google Kubernetes Engine on Google Cloud
|
Several for each disk, like Compute Engine
|
Artifact Registry
|
Stored in Cloud Storage, for each data chunk
|
Data analysis
|
BigQuery
|
One or more for each table
|
Dataflow
|
Stored in Cloud Storage, for each data chunk
|
Dataproc
|
Stored in Cloud Storage, for each data chunk
|
Pub/Sub
|
Rotated every 30 days (not unique to a single customer)
|
What's next
Read more about
default encryption at rest
.