Encryption at rest with Google storage buckets


We are Binx. We make every organization cloud-native.

Google Storage Buckets is the service from Google to store unstructured data that can be accesses by a key. By default Google will encrypt and decrypt the data
to and from disk using a google managed encryption key. In this blog we will show you how to use a customer managed key for encryption.

Enabling encryption at rest

As with all Google Cloud services, encryption is applied both in transit and at rest. Which means that the easiest way to enable encryption at rest, is just to
create a bucket using Terraform:

resource "google_storage_bucket" "with-google-managed-encryption-key" {
  name     = "gcp-managed-encryption-key-bucket-${data.google_project.current.number}"
  location = "EU"

Enabling encryption with customer managed key

If you want to use your own keys with which the data is encrypted, you first have to create a cryptographic key with a key ring:

resource "google_kms_crypto_key" "gcs" {
  name            = "gcs-key"
  key_ring        = "${google_kms_key_ring.gcs.self_link}"
  rotation_period = "86401s"

resource "google_kms_key_ring" "gcs" {
  name     = "gcs-key"
  location = "global"

Now you can create a storage bucket with the specified key:

resource "google_storage_bucket" "with-customer-encryption-key" {
  name     = "customer-managed-encryption-key-bucket-${data.google_project.current.number}"
  location = "EU"
  encryption {
    default_kms_key_name = "${google_kms_crypto_key.gcs.self_link}"

If you now try to copy a file to the bucket, you will see the following error:

$ gsutil cp encrypted-buckets.tf gs://customer-managed-encryption-key-bucket-123123123126/
Copying file://encrypted-buckets.tf [Content-Type=application/octet-stream]...
AccessDeniedException: 403 Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account  has been authorized to use this key.

To solve this, add the Google Storage Service account as a member of the project in the role of Cloud KMS CryptoKey Encrypter/Decrypter:

resource "google_project_iam_member" "grant-google-storage-service-encrypt-decrypt" {
  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member  = "serviceAccount:service-${data.google_project.current.number}@gs-project-accounts.iam.gserviceaccount.com"

Source code

The source code for this project can be found at https://github.com/binxio.encryption-at-rest-gcp.


Encryption at rest is a standard feature of Google Storage Buckets and all objects in a bucket are encrypted at rest. If you wish, you can use a customer managed key from Google KMS. If you liked this blog, you might also like encryption at rest in AWS S3?

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn