Both encryption at rest and encryption in transit are crucial for protecting your sensitive information in Google Cloud AlloyDB. Here are some resources and advice to help you:

Encryption at rest:

1. Default encryption: AlloyDB encrypts data at rest by default using Google-managed keys. This ensures strong protection without needing any additional configuration.

2. CMEK (Customer-Managed Encryption Keys): You can choose to encrypt your data with your own keys stored in Cloud Key Management Service (KMS) instead of Google-managed keys. This provides additional control over access and key management.

   Documentation:

   • About CMEK: CMEK in AlloyDB documentation 

Encryption in transit:

1. TLS (Transport Layer Security): AlloyDB enforces TLS 1.3 with 256-bit AES encryption for all communication between your client applications and the database. This ensures secure data transfer.

2. Auth Proxy: You can use the AlloyDB Auth Proxy for additional security on connections. It establishes a secure tunnel using TLS 1.3 and acts as a single point of entry for client applications.

   Documentation:

   • About the AlloyDB Auth Proxy: AlloyDB Auth Proxy Overview 
   • AlloyDB Overview: AlloyDB main page 

Additional tips:

• Rotate your CMEK keys regularly for enhanced security.
• Limit access to your database and Cloud KMS to authorized users.
• Monitor your database activity for suspicious behavior.