How to Enable Encryption in BigQuery

Galaxy Glossary

How do I enable customer-managed encryption in BigQuery?

ENABLE ENCRYPTION lets you secure datasets and tables with Cloud KMS customer-managed keys (CMEK) instead of default Google-managed encryption.

Sign up for the latest in SQL knowledge from the Galaxy Team!

Description

Why enable encryption in BigQuery?

Customer-managed encryption keys (CMEK) give you control over who can decrypt data, satisfy compliance rules, and allow independent key rotation—something the default Google-managed encryption cannot do.

How to specify a customer-managed key when creating a table?

Attach the OPTIONS(encryption_key="projects/.../cryptoKeys/...") clause to the CREATE TABLE statement. BigQuery will write all blocks using the supplied Cloud KMS key.

SQL syntax?

The table-level syntax works for permanent tables, partitioned tables, and materialized views. You can mix other OPTIONS in the same clause.

How to encrypt an existing table?

Run ALTER TABLE ... SET OPTIONS(encryption_key="projects/.../cryptoKeys/..."). The command rewrites data files in place without needing to unload and reload.

How to set a dataset default encryption key?

Use the bq CLI or REST API to call datasets.patch with the defaultEncryptionConfiguration.kmsKeyName field. New tables inherit the dataset key automatically.

Best practices for key management?

Create one key per environment (prod, staging) in the same region as the dataset, grant the bigquery.admin role the Cloud KMS cryptoKeyEncrypterDecrypter permission, and rotate keys on a scheduled cadence.

What pitfalls should I avoid?

Avoid cross-region keys, missing IAM permissions, and forgetting to update scheduled jobs that write to new encrypted tables.

Practical example: Encrypting ecommerce orders

The query below creates an encrypted Orders table and then updates it to a new key.

-- create with CMEK
CREATE TABLE `shop.Orders` (
id INT64,
customer_id INT64,
order_date DATE,
total_amount NUMERIC
) OPTIONS (
encryption_key = 'projects/shop-sec/locations/us/cryptoKeys/prod-key'
);

-- rotate to a new key
ALTER TABLE `shop.Orders`
SET OPTIONS (
encryption_key = 'projects/shop-sec/locations/us/cryptoKeys/prod-key-v2'
);

Common mistakes and fixes

Missing KMS permission: Grant the BigQuery service account roles/cloudkms.cryptoKeyEncrypterDecrypter on the key.

Key region mismatch: Ensure key and dataset share the same Cloud region; otherwise BigQuery rejects the query.

FAQ

Does CMEK affect query performance?

No measurable impact; encryption and decryption are hardware-accelerated.

Can I remove encryption later?

Yes. Use ALTER TABLE ... SET OPTIONS (encryption_key=NULL) to revert to Google-managed keys.

How often can I rotate keys?

You can rotate anytime; existing data stays under the old key until you run ALTER TABLE ... SET OPTIONS again.

Why How to Enable Encryption in BigQuery is important

How to Enable Encryption in BigQuery Example Usage


-- Encrypt Customers table with CMEK
CREATE TABLE shop.Customers (
  id INT64,
  name STRING,
  email STRING,
  created_at TIMESTAMP
) OPTIONS (
  encryption_key = 'projects/shop-sec/locations/us/cryptoKeys/prod-key'
);

-- Change key for Customers table
ALTER TABLE shop.Customers
SET OPTIONS (
  encryption_key = 'projects/shop-sec/locations/us/cryptoKeys/prod-key-v2'
);

How to Enable Encryption in BigQuery Syntax


CREATE TABLE dataset.table_name
( column_definitions )
OPTIONS (
  encryption_key = 'projects/PROJECT_ID/locations/REGION/cryptoKeys/KEY_NAME',
  [other_options]
);

ALTER TABLE dataset.table_name
SET OPTIONS (
  encryption_key = 'projects/PROJECT_ID/locations/REGION/cryptoKeys/NEW_KEY_NAME'
);

-- e.g. create encrypted OrderItems table
CREATE TABLE shop.OrderItems (
  id INT64,
  order_id INT64,
  product_id INT64,
  quantity INT64
) OPTIONS (
  encryption_key = 'projects/shop-sec/locations/us/cryptoKeys/prod-key'
);

Common Mistakes

Frequently Asked Questions (FAQs)

Is CMEK available in all regions?

Yes, but the KMS key must reside in the same region as the dataset.

Does encryption add cost?

BigQuery usage cost is unchanged; Cloud KMS charges a small per-key fee.

Can I audit key usage?

Enable Cloud Audit Logs for KMS to capture every decrypt operation BigQuery performs.

Want to learn about other SQL terms?

dbt tests

dbt tests are declarative assertions in dbt that automatically validate data quality during model builds.

dbt utils

dbt utils is a community-maintained dbt package that adds time-saving utility macros for analytics engineers, such as generating surrogate keys, safely unioning models, and automating date spines.

dbt Tutorial Glossary: Build, Test & Deploy SQL Models

dbt is an open-source framework that lets data teams transform raw warehouse tables into tested, documented, production-ready datasets using version-controlled SQL.

Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie
BauHealth Logo
Truvideo Logo
Company
BlogFeaturesPricingAboutCareersFeature Requests
Resources
Resource LibraryDocsSupportBrand Kit
Explore
Product TourData Job BoardRecruitersConsultantsStartup ToolsMemes
Learn
Learn SQLBeginner ResourcesData ToolsSQL Interview PrepCommon ErrorsSQL OptimizationSQL In Other LanguagesGlossary
Comparisons
DatagripTablePlusDBeaverBeekeeper StudiopgAdminMySQL WorkbenchSQL Server Management StudioPosticoDbVisualizerNao LabsCursor
HexBrieferPopSQLSherloqBlazeSQLSweep AIWaii AIOuterbase
© 2025 Galaxy Software Inc.
hello@getgalaxy.io
Terms of ServicePrivacy PolicySecurity
Reddit IconProduct Hunt IconTwitter / X IconLinkedIn Icon