Overview

Customer Managed Encryption Keys (CMEK)

  • Key created and managed with Cloud KMS
  • Assigned to resource
  • Alternative to Google managed keys
  • Not necessarily more secure:
    • Incurs more costs than Google managed
    • Can control lifecycle of keys

Customer Supplied Encryption Keys (CSEK)

  • Customer specifies contents of key material
  • Keys stored on-prem, or in external service
  • Compatibale with Cloud Storage and Compute Engine

Graph View