Overview
Customer Managed Encryption Keys (CMEK)
- Key created and managed with Cloud KMS
- Assigned to resource
- Alternative to Google managed keys
- Not necessarily more secure:
- Incurs more costs than Google managed
- Can control lifecycle of keys
Customer Supplied Encryption Keys (CSEK)
- Customer specifies contents of key material
- Keys stored on-prem, or in external service
- Compatibale with Cloud Storage and Compute Engine