Data in GCS buckets is always encrypted, in-flight and at-rest. If we do nothing at all, the encryption occurs using Google-supplied keys. These keys are created, managed, and rotated by Google, and we need not bother with data encryption at all. This is the first option, called Google Supplied Encryption Key (GSEK), which is the one most likely to work right out of the box. The keys are those associated with the respective users and governed by IAM:

Alternatively, a customer might want more control, and insist on Customer Supplied Encryption Key (CSEK). Here, the key resides on the customer's premise, but is sent across in raw form as part of the API calls. All GCP references to the key are in-memory only, the key actually never gets stored on the cloud.

A third option is Customer Managed Encryption Keys (CMEK), where the customer uses a specific GCP service called the Google Key Management Service (Google KMS) to store keys on the cloud.

Notice that in CMEK, unlike in CSEK, the keys are indeed persisted on the cloud, and key protection is performed by the KMS. In CSEK, to download or modify the encrypted data, you always need to provide the user supplied key to perform the action. Finally, CSEK is only currently available in a small list of countries.

To implement CSEK using gsutil, use the following command:

gsutil cp Desktop/image1.png gs://loonycorn-bucket-00 encryption_key [KEY]
  

Without the key, GCS shows a permission denied error for modifications and a 404 error for downloading.