0

I am trying to export data to cloud storage buckets. I am trying to understand:

If I can leverage the client side encryption either using Customer Managed or Customer Supplied encryption keys.

I don't see any option in gcloud sql export sql command to supply keys which is mentioned in docs [https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#add-object-key][1]

Will the objects in the buckets get encrypted by default or should I pass the encryption-key ref in the export command!!

And I also have a query: while exporting data to buckets, can we connect to databases without any issues or is it better to export database out of business hours?

Ram
  • 655
  • 2
  • 7
  • 27

1 Answers1

0

  • Server-side encryption: encryption that occurs after Cloud Storage receives your data, but before the data is written to disk and stored.

  • Client-side encryption: encryption that occurs before data is sent to Cloud Storage. Such data arrives at Cloud Storage already encrypted but also undergoes server-side encryption.

Details:

Client-side encryption for data to be exported is done using your own tools prior to sending it to Cloud Storage. Data that you encrypt on the client side then arrives at Cloud Storage in an encrypted state, however Cloud Storage has no knowledge of the keys you used to encrypt the data.

When Cloud Storage receives your data, it is encrypted a second time through the server-side encryption, which Cloud Storage manages. When you retrieve your data, Cloud Storage removes the server-side layer of encryption, but you must decrypt the client-side layer yourself.

Do keep in mind that If you use customer-supplied encryption keys or client-side encryption, you must securely manage your keys and ensure that they are not lost. If you lose your keys, you are no longer able to read your data, and you continue to be charged for storage of your objects until you delete them.

Md Daud Walizarif
  • 500
  • 4
  • 10