What encryption is used for storage?

From GCP docs:

Cloud Storage manages server-side encryption keys on your behalf using the same hardened key management systems that we use for our own encrypted data, including strict key access controls and auditing. Cloud Storage encrypts user data at rest using AES-256, in most cases using Galois/Counter Mode (GCM). There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact. Data is automatically decrypted when read by an authorized user.

Problem text in bold above (in most cases). From other docs, it appears some legacy HHDs use AES-CBC and AED-CTR (128 and 256 bits). How do we determine/confirm storage encryption is AES and that CBC is not used in a particular data center?

Hi @PhilippeB ,

Welcome to Google Cloud Community!

By default, Google Cloud Storage uses AES-GCM (256 bits) as the preferred protocol but still supports AES-CBC and AES-CTR (128 and 256 bits) for legacy HDDs and persistent disks which were created before 2015. If your project uses Cloud Storage and was created in 2015 (or later) the preferred protocol being used is AES-GCM (256 bits).

You can check out the following documentation regarding information on Cloud Storage encryption and other options available to encrypt data when using Google Cloud Storage:

• Google-managed encryption keys
• Data encryption options
• Google’s common cryptographic library
• Encryption in transit
• Understanding Data Encryption in Google Cloud

Hope this helps.