Customer-managed encryption keys

If you're using Secret Manager to store and pass your Amazon S3 or Microsoft Azure credentials, you can additionally use a customer-managed encryption key (CMEK) to encrypt those credentials at rest.

See Enable Customer-Managed Encryption Keys for Secret Manager for instructions.

Enforce CMEK with organization policy

To enforce the use of CMEK through an organizational policy, add Storage Transfer Service and Secret Manager to the constraints/gcp.restrictNonCmekServices deny list. Specifically, add:

secretmanager.googleapis.com
storagetransfer.googleapis.com

See Creating and managing organization policies for instructions.

Storage Transfer Service checks for and enforces this restriction at job creation and update. Existing transfer jobs are not affected.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.

Customer-managed encryption keys Stay organized with collections Save and categorize content based on your preferences.

Enforce CMEK with organization policy

Customer-managed encryption keys