Use Customer-managed encryption keys (CMEK) with Migrate to Virtual Machines
Stay organized with collectionsSave and categorize content based on your preferences.
By default, Migrate to Virtual Machines encrypts customer content at
rest. Migrate to Virtual Machines handles encryption for you without any
additional actions on your part. This option is calledGoogle default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) inCloud KMSwith CMEK-integrated services including
Migrate to Virtual Machines. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
youtrack key usage, view audit logs, and
control key lifecycles.
Instead of Google owning and managing the symmetrickey encryption keys (KEKs)that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Migrate to Virtual Machines resources is similar to using Google default encryption.
For more information about your encryption
options, seeCustomer-managed encryption keys (CMEK).
Migrate to Virtual Machines uses CMEK to encrypt the following data:
The following sections describe these scenarios is more detail.
Use CMEK to encrypt data stored during a migration
To encrypt data stored during a migration or import using CMEK, you must provide
a reference to a Cloud KMS key when creating a migration source or
import resource respectively. For instructions on using CMEK to encrypt data
during a migration from various migration sources, see the following topics:
Use CMEK to encrypt data on target VM instances and VM disks
To encrypt data on target VM instances and VM disks using CMEK, you must provide
a reference to a Cloud KMS key in the target details. For instructions
on setting CMEK in the target details, seesetting CMEK for VM instancesandsetting CMEK for VM disks.
Use CMEK to encrypt data on target disks and machine images
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Use Customer-managed encryption keys (CMEK) with Migrate to Virtual Machines\n\nBy default, Migrate to Virtual Machines encrypts customer content at\nrest. Migrate to Virtual Machines handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nMigrate to Virtual Machines. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\n\nUsing Cloud KMS also lets\nyou [track key usage](/kms/docs/view-key-usage), view audit logs, and\ncontrol key lifecycles.\n\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nMigrate to Virtual Machines resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\nMigrate to Virtual Machines uses CMEK to encrypt the following data:\n\n- [Data stored internally during a migration](#migration-data)\n- [Data on target Virtual Machine (VM) instances and VM disks](#data-target-vm-vm-disks)\n- [Data on target disks and machine images](#target-disk-machine-images)\n\nThe following sections describe these scenarios is more detail.\n\nUse CMEK to encrypt data stored during a migration\n--------------------------------------------------\n\nTo encrypt data stored during a migration or import using CMEK, you must provide\na reference to a Cloud KMS key when creating a migration source or\nimport resource respectively. For instructions on using CMEK to encrypt data\nduring a migration from various migration sources, see the following topics:\n\n- [Migration from an AWS source](/migrate/virtual-machines/docs/5.0/how-to/create-an-aws-source#create_an_aws_source)\n- [Migration from an Azure source](/migrate/virtual-machines/docs/5.0/how-to/create-an-azure-source#create-an-azure-source)\n- [Migration from a VMware source](/migrate/virtual-machines/docs/5.0/how-to/migrate-connector#register)\n- [Import virtual disk images](/migrate/virtual-machines/docs/5.0/migrate/image_import)\n- [Import machine images](/migrate/virtual-machines/docs/5.0/migrate/machine-image-import)\n\nUse CMEK to encrypt data on target VM instances and VM disks\n------------------------------------------------------------\n\nTo encrypt data on target VM instances and VM disks using CMEK, you must provide\na reference to a Cloud KMS key in the target details. For instructions\non setting CMEK in the target details, see [setting CMEK for VM instances](/migrate/virtual-machines/docs/5.0/how-to/migrating-vms#configure-target) and [setting CMEK for VM disks](/migrate/virtual-machines/docs/5.0/how-to/migrating-disks#configure-target).\n\nUse CMEK to encrypt data on target disks and machine images\n-----------------------------------------------------------\n\nTo encrypt data on target disks and machine images using CMEK, you must provide\na reference to a Cloud KMS key in the target details. For instructions\non setting CMEK in the target details, see [Import a virtual disk image to Compute Engine](/migrate/virtual-machines/docs/5.0/migrate/image_import#import-disk) and [Import a machine image to Compute Engine](/migrate/virtual-machines/docs/5.0/migrate/machine-image-import)."]]
