---
names: 
  full: "Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)"
  contextual: "Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)"
description: "Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and \
 Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect  \ 
 the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine \ 
 encrypts all data at rest. Compute Engine handles and manages this encryption for you without any \ 
 additional actions on your part. However, if you wanted to control and manage this encryption \ 
 yourself, you can provide your own encryption keys."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
frameworkMappings:
  - /frameworks/cis-gcp-v4.0.0/04/07
  - /frameworks/cloudaware/resource-security/data-encryption
  - /frameworks/nist-sp-800-53-r5/ia/05
  - /frameworks/nist-sp-800-53-r5/sc/28
  - /frameworks/pci-dss-v4.0/03/01/01
  - /frameworks/pci-dss-v4.0/03/03/02
  - /frameworks/pci-dss-v4.0/03/03/03
  - /frameworks/pci-dss-v4.0/03/05/01
  - /frameworks/pci-dss-v4.0/03/05/01/02
  - /frameworks/pci-dss-v4.0/03/05/01/03
  - /frameworks/pci-dss-v4.0/08/03/02
  - /frameworks/iso-iec-27001-2022/05/33
  - /frameworks/nist-csf-v1.1/pr-ds/01
  - /frameworks/soc-2/cc6/01/10
  - /frameworks/soc-2/cc6/01/03
similarPolicies:
  cloudConformity:
    - url: "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/gcp/ComputeEngine/enable-encryption-with-csek.html"
      name: "Enable VM Disk Encryption with Customer-Supplied Encryption Keys"