Encryption of secrets

Secret Manager always encrypts your secret data before it is persisted to disk. This page discusses the default encryption that Secret Manager performs. To learn more about Google Cloud encryption options, refer to Encryption at rest.

Secret Manager manages server-side encryption keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Secret Manager encrypts user data at rest using AES-256. There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Your secret data is automatically and transparently decrypted when accessed by an authorized user.

The Secret Manager API always communicates over a secure HTTP(S) connection.

Customer-managed encryption keys (CMEK)

Customer-managed encryption keys (CMEK) refers to the ability to control and manage the encryption keys used to protect data related to a Google Cloud service.

See CMEK documentation for details on how to configure and use customer-managed encryption keys.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年12月19日 UTC.