Encryption at rest with Google storage buckets

14 Nov, 2018
Xebia Background Header Wave

Google Storage Buckets is the service from Google to store unstructured data that can be accesses by a key. By default Google will encrypt and decrypt the data
to and from disk using a google managed encryption key. In this blog we will show you how to use a customer managed key for encryption.

Enabling encryption at rest

As with all Google Cloud services, encryption is applied both in transit and at rest. Which means that the easiest way to enable encryption at rest, is just to
create a bucket using Terraform:

resource "google_storage_bucket" "with-google-managed-encryption-key" {
  name     = "gcp-managed-encryption-key-bucket-${data.google_project.current.number}"
  location = "EU"

Enabling encryption with customer managed key

If you want to use your own keys with which the data is encrypted, you first have to create a cryptographic key with a key ring:

resource "google_kms_crypto_key" "gcs" {
  name            = "gcs-key"
  key_ring        = "${google_kms_key_ring.gcs.self_link}"
  rotation_period = "86401s"

resource “google_kms_key_ring” “gcs” {
  name     = “gcs-key”
  location = “global”

Now you can create a storage bucket with the specified key:

resource "google_storage_bucket" "with-customer-encryption-key" {
  name     = "customer-managed-encryption-key-bucket-${data.google_project.current.number}"
  location = "EU"
  encryption {
    default_kms_key_name = "${google_kms_crypto_key.gcs.self_link}"

If you now try to copy a file to the bucket, you will see the following error:

$ gsutil cp \
Copying file:// [Content Type=application/octet-stream]...
AccessDeniedException: 403 Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account  has been authorized to use this key.

To solve this, add the Google Storage Service account as a member of the project in the role of Cloud KMS CryptoKey Encrypter/Decrypter:

resource "google_project_iam_member" "grant-google-storage-service-encrypt-decrypt" {
  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member  = "serviceAccount:service-${data.google_project.current.number}"

Source code

The source code for this project can be found at


Encryption at rest is a standard feature of Google Storage Buckets and all objects in a bucket are encrypted at rest. If you wish, you can use a customer managed key from Google KMS. If you liked this blog, you might also like encryption at rest in AWS S3?

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts