Enforce or restrict the encryption types for a bucket
Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to configure which encryption methods are allowed
or restricted for new objects in a Cloud Storage bucket. You can
configure a bucket to enforce or restrict the use of standard encryption
(Google default encryption), customer-managed encryption keys (CMEK), or
customer-supplied encryption keys (CSEK) for any new objects that are created
within the bucket.
For example, to help meet your compliance requirements about encryption key
management, you can require that all new objects are encrypted with either
standard encryption or CMEK, and restrict the use of customer-supplied
encryption keys.
For more information about the encryption methods that are available, see
Data encryption options.
Cloud Storage enforces the encryption configuration for all actions
that create a new object, such as uploading an object, copying an object,
composing objects, and restoring a soft-deleted object.
Before you begin
To get the permissions that
you need to configure encryption enforcement for a bucket,
ask your administrator to grant you the
Storage Admin (roles/storage.admin) IAM role on bucket.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains
the permissions required to configure encryption enforcement for a bucket. To see the exact permissions that are
required, expand the Required permissions section:
Required permissions
The following permissions are required to configure encryption enforcement for a bucket:
Set the configuration when creating a new bucket:
storage.buckets.create
Update the configuration for an existing bucket:
storage.buckets.update
If you use the Google Cloud console to perform the steps on this page:
To add a bucket label, click the
expand_more expander arrow to
expand the Labels section, click
add_boxAdd
label, and specify a key and a value for
your label.
In the Choose where to store your data section, do the
following:
Use the location type's drop-down menu to select a
Location where object data
within your bucket will be permanently stored.
If you select the dual-region location
type, you can also choose to enable
turbo replication by
using the relevant checkbox.
To set up cross-bucket replication,
select Add cross-bucket replication via Storage Transfer Service and
follow the steps:
Set up cross-bucket replication
In the Bucket menu, select a bucket.
In the Replication settings section,
click Configure to configure settings for the
replication job.
The Configure cross-bucket replication pane
appears.
To filter objects to replicate by object name prefix,
enter a prefix with which you want to include or exclude
objects, then click addAdd a prefix.
To set a storage class for the replicated objects,
select a storage class from the Storage class menu.
If you skip this step, the replicated objects will use the
destination bucket's storage class by default.
Click Done.
In the Choose how to store your data section, do the
following:
Select a default storage class for the
bucket or Autoclass for automatic storage
class management of your bucket's data.
In the Optimize storage for data-intensive workloads section,
do the following:
To enable Rapid Cache, select
Enable Rapid Cache and follow the steps:
To create caches, click Configure.
In the Configure cache settings dialog that appears, click
the drop-down arrow next to the listed regions and select the
zones where you want to create caches.
Click Done.
In the Choose how to control access to objects section, select
whether or not your bucket enforces
public access prevention, and select
uniform bucket-level access for your bucket's objects.
In the Choose how to protect object data section, do the
following:
Select any of the options under Data protection that you
want to set for your bucket.
To change the amount of time that soft delete
retains objects after deletion, select the Soft delete policy checkbox, and then
select the Set custom retention duration option. Then, specify how long you want to
retain deleted objects.
To disable soft delete, for example if the bucket will primarily contain
short-lived, temporary data, clear the Soft delete policy checkbox.
To choose how to encrypt your object data,
click the expand_more expander arrow labeled
Data encryption, and do the following:
In the Default encryption key type section, select the default encryption key
for the bucket. If you select Cloud KMS key, then provide a
Cloud Key Management Service key.
STANDARD_ENCRYPTION_RESTRICTION_MODE:
Whether encryption using standard encryption (Google default encryption) is allowed
when creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use standard encryption.
FullyRestricted: new objects can't use standard encryption.
CMEK_RESTRICTION_MODE:
Whether encryption using CMEKs is allowed when creating objects in this bucket. The
following values are supported:
NotRestricted: new objects can use CMEKs.
FullyRestricted: new objects can't use CMEKs.
CSEK_RESTRICTION_MODE:
Whether encryption using customer-supplied encryption keys is allowed when
creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use customer-supplied encryption keys.
FullyRestricted: new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit the enforcement
configuration for a specific encryption type, then that encryption type is allowed
by default.
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&project_id,std::stringconst&bucket_name){autocreate_bucket=[&](std::stringconst&name,gcs::BucketEncryptionencryption){StatusOr<gcs::BucketMetadata>bucket=client.CreateBucketForProject(name,project_id,gcs::BucketMetadata().set_encryption(encryption));if(!bucket)throwstd::move(bucket).status();returnbucket;};// Example 1: Enforce GMEK Onlygcs::BucketEncryptiongmek_encryption;gmek_encryption.google_managed_encryption_enforcement_config.restriction_mode="NotRestricted";gmek_encryption.customer_managed_encryption_enforcement_config.restriction_mode="FullyRestricted";gmek_encryption.customer_supplied_encryption_enforcement_config.restriction_mode="FullyRestricted";std::cout << "Bucket " << create_bucket("g-"+bucket_name,gmek_encryption)->name() << " created with GMEK-only enforcement policy.\n";// In GCS, a single project cannot create or delete buckets more often than// once every two seconds. We pause to avoid rate limiting.std::this_thread::sleep_for(std::chrono::seconds(2));// Example 2: Enforce CMEK Onlygcs::BucketEncryptioncmek_encryption;cmek_encryption.google_managed_encryption_enforcement_config.restriction_mode="FullyRestricted";cmek_encryption.customer_managed_encryption_enforcement_config.restriction_mode="NotRestricted";cmek_encryption.customer_supplied_encryption_enforcement_config.restriction_mode="FullyRestricted";std::cout << "Bucket " << create_bucket("c-"+bucket_name,cmek_encryption)->name() << " created with CMEK-only enforcement policy.\n";// In GCS, a single project cannot create or delete buckets more often than// once every two seconds. We pause to avoid rate limiting.std::this_thread::sleep_for(std::chrono::seconds(2));// Example 3: Restrict CSEK (Ransomware Protection)gcs::BucketEncryptioncsek_encryption;csek_encryption.customer_supplied_encryption_enforcement_config.restriction_mode="FullyRestricted";std::cout << "Bucket " << create_bucket("rc-"+bucket_name,csek_encryption)->name() << " created with a policy to restrict CSEK.\n";}
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The name of the KMS key to be used as the default// const defaultKmsKeyName = 'my-key';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionsetBucketEncryptionEnforcementConfig(){constoptions={encryption:{defaultKmsKeyName,googleManagedEncryptionEnforcementConfig:{restrictionMode:'FullyRestricted',},customerSuppliedEncryptionEnforcementConfig:{restrictionMode:'FullyRestricted',},customerManagedEncryptionEnforcementConfig:{restrictionMode:'NotRestricted',},},};const[metadata]=awaitstorage.bucket(bucketName).setMetadata(options);console.log(`Encryption enforcement configuration updated for bucket ${bucketName}.`);constenc=metadata.encryption;if(enc){console.log(`Default KMS Key: ${enc.defaultKmsKeyName}`);constlogEnforcement=(label,config)=>{if(config){console.log(`${label}:`);console.log(` Mode: ${config.restrictionMode}`);console.log(` Effective: ${config.effectiveTime}`);}};logEnforcement('Google Managed (GMEK) Enforcement',enc.googleManagedEncryptionEnforcementConfig);logEnforcement('Customer Managed (CMEK) Enforcement',enc.customerManagedEncryptionEnforcementConfig);logEnforcement('Customer Supplied (CSEK) Enforcement',enc.customerSuppliedEncryptionEnforcementConfig);}}setBucketEncryptionEnforcementConfig().catch(console.error);
use Google\Cloud\Storage\StorageClient;/** * Creates a bucket with specific encryption enforcement (e.g., CMEK-only). * * @param string $bucketName The ID of your GCS bucket (e.g. "my-bucket"). * @param string $kmsKeyName The name of the KMS key to be used as the default (e.g. "projects/my-project/..."). */function set_bucket_encryption_enforcement_config(string $bucketName, string $kmsKeyName): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); // This configuration enforces that all objects uploaded to the bucket // must use Customer Managed Encryption Keys (CMEK). $options = [ 'encryption' => [ 'defaultKmsKeyName' => $kmsKeyName, 'googleManagedEncryptionEnforcementConfig' => [ 'restrictionMode' => 'FullyRestricted', ], 'customerSuppliedEncryptionEnforcementConfig' => [ 'restrictionMode' => 'FullyRestricted', ], 'customerManagedEncryptionEnforcementConfig' => [ 'restrictionMode' => 'NotRestricted', ], ], ]; $storage->createBucket($bucketName, $options); printf('Bucket %s created with encryption enforcement configuration.' . PHP_EOL, $bucketName);}
fromgoogle.cloudimportstoragefromgoogle.cloud.storage.bucketimportEncryptionEnforcementConfigdefset_bucket_encryption_enforcement_config(bucket_name):"""Creates a bucket with encryption enforcement configuration."""# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)# Setting restriction_mode to "FullyRestricted" for Google-managed encryption (GMEK)# means objects cannot be created using the default Google-managed keys.bucket.encryption.google_managed_encryption_enforcement_config=(EncryptionEnforcementConfig(restriction_mode="FullyRestricted"))# Setting restriction_mode to "NotRestricted" for Customer-managed encryption (CMEK)# ensures that objects ARE permitted to be created using Cloud KMS keys.bucket.encryption.customer_managed_encryption_enforcement_config=(EncryptionEnforcementConfig(restriction_mode="NotRestricted"))# Setting restriction_mode to "FullyRestricted" for Customer-supplied encryption (CSEK)# prevents objects from being created using raw, client-side provided keys.bucket.encryption.customer_supplied_encryption_enforcement_config=(EncryptionEnforcementConfig(restriction_mode="FullyRestricted"))bucket.create()print(f"Created bucket {bucket.name} with Encryption Enforcement Config.")
defset_bucket_encryption_enforcement_configbucket_name:# The ID to give your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newcustomer_managed_config={restriction_mode:"NotRestricted"}customer_supplied_config={restriction_mode:"FullyRestricted"}google_managed_config={restriction_mode:"FullyRestricted"}bucket=storage.create_bucketbucket_namedo|b|b.customer_managed_encryption_enforcement_config=customer_managed_configb.customer_supplied_encryption_enforcement_config=customer_supplied_configb.google_managed_encryption_enforcement_config=google_managed_configendputs"Created bucket #{bucket.name} with Encryption Enforcement Config."end
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets
you generate an access token for the Authorization header.
Create a JSON file that contains the settings for the bucket. For a
complete list of settings, see the Buckets: Insert
documentation. The following settings define only the bucket name
and encryption:
STANDARD_ENCRYPTION_RESTRICTION_MODE:
Whether encryption using standard encryption (Google default encryption) is allowed
when creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use standard encryption.
FullyRestricted: new objects can't use standard encryption.
CMEK_RESTRICTION_MODE:
Whether encryption using CMEKs is allowed when creating objects in this bucket. The
following values are supported:
NotRestricted: new objects can use CMEKs.
FullyRestricted: new objects can't use CMEKs.
CSEK_RESTRICTION_MODE:
Whether encryption using customer-supplied encryption keys is allowed when
creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use customer-supplied encryption keys.
FullyRestricted: new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit the enforcement
configuration for a specific encryption type, then that encryption type is allowed
by default.
Use cURL to call the JSON API with a POST Bucket
request:
STANDARD_ENCRYPTION_RESTRICTION_MODE:
Whether encryption using standard encryption (Google default encryption) is allowed
when creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use standard encryption.
FullyRestricted: new objects can't use standard encryption.
CMEK_RESTRICTION_MODE:
Whether encryption using CMEKs is allowed when creating objects in this bucket. The
following values are supported:
NotRestricted: new objects can use CMEKs.
FullyRestricted: new objects can't use CMEKs.
CSEK_RESTRICTION_MODE:
Whether encryption using customer-supplied encryption keys is allowed when
creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use customer-supplied encryption keys.
FullyRestricted: new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit the enforcement
configuration for a specific encryption type, then that encryption type is allowed
by default.
Use cURL to call the XML API with a PUT Bucket request:
XML_FILE_NAME: the path to the XML file
that you created in the previous step.
PROJECT_ID: the ID or number of the
project for your bucket.
BUCKET_NAME: the name of the bucket.
Update the encryption types that are allowed for a bucket
To update which encryption methods are allowed for new objects in an existing
bucket, complete the following steps.
If the bucket has a default KMS key set, then you can't restrict both CMEK and
customer-supplied encryption keys because that would prevent new objects from
being created. Either allow CMEK or CSEK on such a bucket, or remove the
default Cloud KMS key from the bucket.
Console
In the Google Cloud console, go to the Cloud Storage Buckets page.
STANDARD_ENCRYPTION_RESTRICTION_MODE:
Whether encryption using standard encryption (Google default encryption) is allowed
when creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use standard encryption.
FullyRestricted: new objects can't use standard encryption.
CMEK_RESTRICTION_MODE:
Whether encryption using CMEKs is allowed when creating objects in this bucket. The
following values are supported:
NotRestricted: new objects can use CMEKs.
FullyRestricted: new objects can't use CMEKs.
CSEK_RESTRICTION_MODE:
Whether encryption using customer-supplied encryption keys is allowed when
creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use customer-supplied encryption keys.
FullyRestricted: new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit an encryption type, the existing
configuration is retained.
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){StatusOr<gcs::BucketMetadata>original=client.GetBucketMetadata(bucket_name);gcs::BucketMetadataupdated_metadata=*original;gcs::BucketEncryptionencryption;if(original->has_encryption()){encryption=original->encryption();}// 1. Update a specific type (e.g., change GMEK to FullyRestricted)encryption.google_managed_encryption_enforcement_config.restriction_mode="FullyRestricted";// 2. Remove a specific type (e.g., remove CMEK enforcement)encryption.customer_managed_encryption_enforcement_config.restriction_mode="NotRestricted";// For the update, need to specify all three configs, so keeping this same// as beforeencryption.customer_supplied_encryption_enforcement_config.restriction_mode="FullyRestricted";updated_metadata.set_encryption(encryption);StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(bucket_name,*original,updated_metadata);if(!updated)throwstd::move(updated).status();std::cout << "Encryption enforcement policy updated for bucket " << updated->name() << "\n" << "GMEK is now fully restricted, and CMEK enforcement has been ""removed.\n";}
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassBucketUpdateEncryptionEnforcementConfigSample{/// <summary>/// Updates the encryption enforcement configuration of the bucket./// </summary>/// <param name="bucketName">The name of the bucket.</param>/// <param name="encryptionData">The encryption configuration for the bucket.</param>publicBucket.EncryptionDataBucketUpdateEncryptionEnforcementConfig(stringbucketName="your-unique-bucket-name",Bucket.EncryptionDataencryptionData=null){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);if(bucket.Encryptionisnull||(bucket.Encryption.CustomerManagedEncryptionEnforcementConfigisnull && bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfigisnull && bucket.Encryption.GoogleManagedEncryptionEnforcementConfigisnull)){Console.WriteLine($"No Encryption Enforcement Configuration found for bucket {bucketName}");returnbucket.Encryption;}bucket.Encryption=encryptionData;bucket=storage.UpdateBucket(bucket);Console.WriteLine($"The Encryption Enforcement Configuration has been updated for the bucket {bucketName}");returnbucket.Encryption;}}
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionupdateBucketEncryptionEnforcementConfig(){constbucket=storage.bucket(bucketName);// Update a specific encryption type's restriction mode// This partial update preserves other existing encryption settings.constupdateOptions={encryption:{googleManagedEncryptionEnforcementConfig:{restrictionMode:'FullyRestricted',},},};awaitbucket.setMetadata(updateOptions);console.log(`Google-managed encryption enforcement set to FullyRestricted for ${bucketName}.`);// Remove all encryption enforcement configurations altogether// Setting these values to null removes the policies from the bucket metadata.constclearOptions={encryption:{defaultKmsKeyName:null,googleManagedEncryptionEnforcementConfig:null,customerSuppliedEncryptionEnforcementConfig:null,customerManagedEncryptionEnforcementConfig:null,},};awaitbucket.setMetadata(clearOptions);console.log(`All encryption enforcement configurations removed from bucket ${bucketName}.`);}updateBucketEncryptionEnforcementConfig().catch(console.error);
defupdate_bucket_encryption_enforcement_configbucket_name:# The ID to give your GCS bucket# bucket_name = "your-unique-bucket-name"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_name# Update a specific type (e.g., change GMEK to NotRestricted)new_config={restriction_mode:"NotRestricted"}bucket.updatedo|b|b.google_managed_encryption_enforcement_config=new_configendputs"Updated google_managed_config to "\"#{bucket.google_managed_encryption_enforcement_config.restriction_mode} "\"for bucket #{bucket.name}."end
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets
you generate an access token for the Authorization header.
Create a JSON file that contains the following information:
STANDARD_ENCRYPTION_RESTRICTION_MODE:
Whether encryption using standard encryption (Google default encryption) is allowed
when creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use standard encryption.
FullyRestricted: new objects can't use standard encryption.
CMEK_RESTRICTION_MODE:
Whether encryption using CMEKs is allowed when creating objects in this bucket. The
following values are supported:
NotRestricted: new objects can use CMEKs.
FullyRestricted: new objects can't use CMEKs.
CSEK_RESTRICTION_MODE:
Whether encryption using customer-supplied encryption keys is allowed when
creating objects in this bucket. The following values are supported:
NotRestricted: new objects can use customer-supplied encryption keys.
FullyRestricted: new objects can't use customer-supplied encryption keys.
You must allow at least one encryption type. If you omit an encryption type, the existing
configuration is retained.
Use cURL to call the JSON API with a PATCH Bucket request:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-06-09 UTC."],[],[]]
