Each Google Cloud service splits data at a different level of granularity for encryption. This document describes the granularity of encryption for customer content for services. Customer content is data that you generate yourself or provide to us, like data stored in Cloud Storage, disk snapshots used by Compute Engine, and IAM policies. Customer content doesn't include customer metadata, such as resource names. In some services, all metadata is encrypted with a single DEK.
| Type | Google Cloud service | Granularity of customer data encryption (size of data encrypted with a single DEK) |
|---|---|---|
| Storage | Bigtable | For each data chunk (several for each table) |
| Datastore | For each data chunk (not unique to a single customer) | |
| Firestore | For each data chunk (not unique to a single customer) | |
| Spanner | For each data chunk (several for each table) | |
| Cloud SQL |
|
|
| Cloud Storage | For each data chunk (typically 256KB-8MB) | |
| Compute | App Engine | For each data chunk (not unique to a single customer) App Engine includes application code and application settings. Data used in App Engine is stored in Datastore, Cloud SQL, or Cloud Storage depending on customer configurations. |
| Cloud Run functions | For each data chunk (not unique to a single customer) Cloud Run functions includes function code, settings, and event data. Event data is stored in Pub/Sub. |
|
| Compute Engine |
|
|
| Google Kubernetes Engine on Google Cloud | Several for each disk, like Compute Engine | |
| Artifact Registry | Stored in Cloud Storage, for each data chunk | |
| Data analysis | BigQuery | One or more for each table |
| Dataflow | Stored in Cloud Storage, for each data chunk | |
| Dataproc | Stored in Cloud Storage, for each data chunk | |
| Pub/Sub | Rotated every 30 days (not unique to a single customer) |
What's next
Read more about default encryption at rest.