I have the following scenario: I would like to use column level encryption (decryption tbh) in BigQuery for (de)pseudonymizing PII data. I have to do client side encryption and then move the data to cloud. Then I would like to use Google’s capabilities to decrypt the data on-the-fly (only for those with the proper priviledges). My first plan was to use Google’s envelope encryption for this, storing the KEK in Cloud KMS and the encrypted DEK with the data. Our security team did not approved this and insisted that we store the DEK on-premise.