How to Enable Encryption at Rest in BigQuery

How do I enable customer-managed encryption at rest in BigQuery?

Encryption at rest in BigQuery secures stored data with Google-managed or customer-managed (CMEK) Cloud KMS keys.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

What is encryption at rest in BigQuery?

BigQuery always encrypts data on disk. By default it uses Google-managed keys, but you can supply customer-managed encryption keys (CMEK) from Cloud KMS for tighter control. CMEK lets you rotate, disable, or destroy keys whenever required.

When should I choose CMEK over Google-managed keys?

Select CMEK when compliance mandates customer control, when you need explicit key rotation schedules, or when separate business units require isolated keys.Stick with Google-managed keys for simpler operations without extra KMS management.

How do I set a default encryption key on a dataset?

Use ALTER SCHEMA … SET OPTIONS(default_kms_key_name= 'KMS_PATH'). New tables inherit this key automatically, reducing manual work and keeping projects consistent.

How can I encrypt a new table with CMEK?

Create the table with an encryption_key option: CREATE TABLE … OPTIONS(encryption_key='KMS_PATH').The key must reside in the same GCP region as the table.

How do I change the key on an existing table?

Issue ALTER TABLE … SET OPTIONS(encryption_key='NEW_KMS_PATH'). BigQuery re-encrypts data in place. Confirm that the service account running the command has the cloudkms.cryptoKeyEncrypterDecrypter role on the new key.

Best practices for managing encryption keys

Use separate keys per environment (dev, staging, prod). Automate key rotation with Cloud KMS schedules. Grant the BigQuery service account the minimal required KMS roles.Monitor KMS audit logs for access patterns.

Common mistakes and how to avoid them

Granting insufficient KMS permissions or choosing a key in a different region will cause immediate job failures. Validate IAM roles and region alignment before deploying changes.

Why How to Enable Encryption at Rest in BigQuery is important

How to Enable Encryption at Rest in BigQuery Example Usage


-- Create OrderItems with CMEK
CREATE TABLE `myproject.ecommerce.OrderItems` (
  id INT64,
  order_id INT64,
  product_id INT64,
  quantity INT64
) OPTIONS (
  encryption_key = 'projects/myproject/locations/us/keyRings/ecom-kr/cryptoKeys/ecom-key'
);

How to Enable Encryption at Rest in BigQuery Syntax


-- Set a default CMEK on the ecommerce dataset
ALTER SCHEMA `myproject.ecommerce`
SET OPTIONS (
  default_kms_key_name = 'projects/myproject/locations/us/keyRings/ecom-kr/cryptoKeys/ecom-key'
);

-- Create a Customers table encrypted with CMEK
CREATE TABLE `myproject.ecommerce.Customers` (
  id INT64,
  name STRING,
  email STRING,
  created_at TIMESTAMP
) OPTIONS (
  encryption_key = 'projects/myproject/locations/us/keyRings/ecom-kr/cryptoKeys/ecom-key'
);

-- Encrypt an Orders table after creation
ALTER TABLE `myproject.ecommerce.Orders`
SET OPTIONS (
  encryption_key = 'projects/myproject/locations/us/keyRings/ecom-kr/cryptoKeys/ecom-key'
);

Common Mistakes

Mistake: Not granting the BigQuery service account the cloudkms.cryptoKeyEncrypterDecrypter role. Fix: Add the role on the KMS key so BigQuery can read and write encrypted data.
Mistake: Using a KMS key in a different region from the dataset or table. Fix: Always create and reference keys in the same region as your BigQuery resources.