By default, BigQuery encrypts customer content at
rest. BigQuery handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
Google default encryption
uses the same hardened key management systems that we use for our own
encrypted data. These systems include strict key access controls and auditing.
Each BigQuery object's data and metadata is encrypted using the
Advanced
Encryption Standard (AES).
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
BigQuery. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you view audit logs and control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
BigQuery resources is similar to using Google default encryption.
For more information
about your encryption options, see
Customer-managed Cloud KMS keys.
Encryption of individual values in a table
If you want to encrypt individual values within a BigQuery table,
use the Authenticated Encryption with Associated Data (AEAD) encryption
functions. If you want to keep data for all of your own customers in a
common table, use AEAD functions to encrypt each customers' data using a
different key. The AEAD encryption functions are based on AES. For more
information, see AEAD Encryption Concepts in GoogleSQL.
Client-side encryption
Client-side encryption is separate from BigQuery encryption at
rest. If you choose to use client-side encryption, you are responsible for the
client-side keys and cryptographic operations. You would encrypt data before
writing it to BigQuery. In this case, your data is encrypted
twice, first with your keys and then with Google's keys. Similarly, data read
from BigQuery is decrypted twice, first with Google's keys and
then with your keys.
Data in transit
To protect your data as it travels over the Internet during read and write
operations, Trusted Cloud uses Transport Layer Security (TLS). For more
information, see Encryption in transit in Trusted Cloud.
Within Google data centers, your data is encrypted when it is transferred
between machines.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eBigQuery automatically encrypts customer data at rest using Google default encryption, which employs robust key management systems and the Advanced Encryption Standard (AES).\u003c/p\u003e\n"],["\u003cp\u003eCustomers can opt for customer-managed encryption keys (CMEKs) via Cloud KMS to gain more control over key protection, location, rotation, and access permissions.\u003c/p\u003e\n"],["\u003cp\u003eCloud KMS Autokey simplifies CMEK management by automatically generating key rings and keys during resource creation in BigQuery, and handles the creation of the necessary service agents.\u003c/p\u003e\n"],["\u003cp\u003eFor encrypting individual values within a table, BigQuery supports Authenticated Encryption with Associated Data (AEAD) encryption functions, allowing for different keys per customer.\u003c/p\u003e\n"],["\u003cp\u003eClient-side encryption can be implemented, providing a second layer of encryption before data is written to BigQuery, but users are fully responsible for the management of client-side keys and cryptographic operations.\u003c/p\u003e\n"]]],[],null,["# Encryption at rest\n==================\n\nBy default, BigQuery encrypts customer content at\nrest. BigQuery handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption* .\nGoogle default encryption\nuses the same hardened key management systems that we use for our own\nencrypted data. These systems include strict key access controls and auditing.\nEach BigQuery object's data and metadata is encrypted using the\n[Advanced\nEncryption Standard (AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nBigQuery. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\n\nUsing Cloud KMS also lets\nyou [track key usage](/kms/docs/view-key-usage), view audit logs, and\ncontrol key lifecycles.\n\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nBigQuery resources is similar to using Google default encryption.\nFor more information\nabout your encryption options, see [Customer-managed Cloud KMS keys](/bigquery/docs/customer-managed-encryption).\n\nCMEK with Cloud KMS Autokey\n---------------------------\n\nYou can either create CMEKs manually to protect your BigQuery\nresources or use Cloud KMS Autokey. With Autokey, key rings and keys are generated on demand as\npart of resource creation in BigQuery.\nService agents that use the keys for encrypt and decrypt operations are created if they don't\nalready exist and are granted the required Identity and Access Management (IAM) roles. For more\ninformation, see [Autokey overview](/kms/docs/autokey-overview).\n\n\nTo learn how to use\nmanually-created CMEKs to protect your BigQuery resources, see\n[Customer-managed Cloud KMS keys](/bigquery/docs/customer-managed-encryption).\n\nTo learn how to use CMEKs created by\nCloud KMS Autokey to protect your BigQuery resources,\nsee [Using Autokey with BigQuery\nresources](/kms/docs/create-resource-with-autokey#bigquery-autokey).\n\n\u003cbr /\u003e\n\nEncryption of individual values in a table\n------------------------------------------\n\nIf you want to encrypt individual values within a BigQuery table,\nuse the Authenticated Encryption with Associated Data (AEAD) [encryption\nfunctions](/bigquery/docs/reference/standard-sql/aead_encryption_functions). If you want to keep data for all of your own customers in a\ncommon table, use AEAD functions to encrypt each customers' data using a\ndifferent key. The AEAD encryption functions are based on AES. For more\ninformation, see [AEAD Encryption Concepts in GoogleSQL](/bigquery/docs/aead-encryption-concepts).\n\nClient-side encryption\n----------------------\n\nClient-side encryption is separate from BigQuery encryption at\nrest. If you choose to use client-side encryption, you are responsible for the\nclient-side keys and cryptographic operations. You would encrypt data before\nwriting it to BigQuery. In this case, your data is encrypted\ntwice, first with your keys and then with Google's keys. Similarly, data read\nfrom BigQuery is decrypted twice, first with Google's keys and\nthen with your keys.\n| **Important:** BigQuery does not know if your data has already been encrypted client-side, nor does BigQuery have any knowledge of your client-side encryption keys. If you use client-side encryption, you must securely manage your encryption keys and all aspects of client-side encryption and decryption.\n\nData in transit\n---------------\n\nTo protect your data as it travels over the Internet during read and write\noperations, Google Cloud uses Transport Layer Security (TLS). For more\ninformation, see [Encryption in transit in Google Cloud](/security/encryption-in-transit).\n\nWithin Google data centers, your data is encrypted when it is transferred\nbetween machines.\n\nWhat's next\n-----------\n\nFor more information about encryption at rest for BigQuery and\nother Google Cloud products, see\n[Encryption at rest in Google Cloud](/security/encryption/default-encryption)."]]
