diff --git a/storage/api/Storage.Samples.Tests/BucketGetEncryptionEnforcementConfigTest.cs b/storage/api/Storage.Samples.Tests/BucketGetEncryptionEnforcementConfigTest.cs
new file mode 100644
index 00000000000..7eb0841510e
--- /dev/null
+++ b/storage/api/Storage.Samples.Tests/BucketGetEncryptionEnforcementConfigTest.cs
@@ -0,0 +1,50 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketGetEncryptionEnforcementConfigTest
+{
+ private readonly StorageFixture _fixture;
+
+ public BucketGetEncryptionEnforcementConfigTest(StorageFixture fixture)
+ {
+ _fixture = fixture;
+ }
+
+ [Fact]
+ public void BucketGetEncryptionEnforcementConfig()
+ {
+ var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+ var bucketGetEncConfigSample = new BucketGetEncryptionEnforcementConfigSample();
+ var bucketName = _fixture.GenerateBucketName();
+ _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+
+ string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";
+ var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+ bucketName: bucketName,
+ kmsKeyName: keyName,
+ enforceCmek: true);
+ var bucketEncryptionData = bucketGetEncConfigSample.BucketGetEncryptionEnforcementConfig(bucket.Name);
+ Assert.NotNull(bucketEncryptionData);
+ Assert.Equal(keyName, bucketEncryptionData.DefaultKmsKeyName);
+ Assert.Multiple(() =>
+ {
+ Assert.Equal("NotRestricted", bucketEncryptionData.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
+ Assert.Equal("FullyRestricted", bucketEncryptionData.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
+ Assert.Equal("FullyRestricted", bucketEncryptionData.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);
+ });
+ }
+}
diff --git a/storage/api/Storage.Samples.Tests/BucketRemoveAllEncryptionEnforcementConfigTest.cs b/storage/api/Storage.Samples.Tests/BucketRemoveAllEncryptionEnforcementConfigTest.cs
new file mode 100644
index 00000000000..c0d47b8dd73
--- /dev/null
+++ b/storage/api/Storage.Samples.Tests/BucketRemoveAllEncryptionEnforcementConfigTest.cs
@@ -0,0 +1,48 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketRemoveAllEncryptionEnforcementConfigTest
+{
+ private readonly StorageFixture _fixture;
+
+ public BucketRemoveAllEncryptionEnforcementConfigTest(StorageFixture fixture)
+ {
+ _fixture = fixture;
+ }
+
+ [Fact]
+ public void BucketRemoveAllEncryptionEnforcementConfig()
+ {
+ var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+ var bucketRemoveEncConfigSample = new BucketRemoveAllEncryptionEnforcementConfigSample();
+ var bucketName = _fixture.GenerateBucketName();
+ _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+ string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";
+ var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+ bucketName: bucketName,
+ kmsKeyName: keyName,
+ enforceCmek: true);
+ var updatedBucket = bucketRemoveEncConfigSample.BucketRemoveAllEncryptionEnforcementConfig(bucket.Name);
+ Assert.Equal(updatedBucket.Encryption.DefaultKmsKeyName, bucket.Encryption.DefaultKmsKeyName);
+ Assert.Multiple(() =>
+ {
+ Assert.Null(updatedBucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig);
+ Assert.Null(updatedBucket.Encryption.CustomerManagedEncryptionEnforcementConfig);
+ Assert.Null(updatedBucket.Encryption.GoogleManagedEncryptionEnforcementConfig);
+ });
+ }
+}
diff --git a/storage/api/Storage.Samples.Tests/BucketSetEncryptionEnforcementConfigTest.cs b/storage/api/Storage.Samples.Tests/BucketSetEncryptionEnforcementConfigTest.cs
new file mode 100644
index 00000000000..9f4d7d4a5d5
--- /dev/null
+++ b/storage/api/Storage.Samples.Tests/BucketSetEncryptionEnforcementConfigTest.cs
@@ -0,0 +1,62 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketSetEncryptionEnforcementConfigTest
+{
+ private readonly StorageFixture _fixture;
+
+ public BucketSetEncryptionEnforcementConfigTest(StorageFixture fixture)
+ {
+ _fixture = fixture;
+ }
+
+ [Theory]
+ [InlineData(true, false, false)]
+ [InlineData(false, true, false)]
+ [InlineData(false, false, true)]
+ public void BucketSetEncryptionEnforcementConfig(
+ bool enforceCmek,
+ bool enforceGmek,
+ bool restrictCsek)
+ {
+ var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+ var bucketName = _fixture.GenerateBucketName();
+ string keyName = enforceCmek
+ ? $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}"
+ : null;
+ _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+ var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+ bucketName: bucketName,
+ kmsKeyName: keyName,
+ enforceCmek: enforceCmek,
+ enforceGmek: enforceGmek,
+ restrictCsek: restrictCsek);
+
+ string expectedCmek = enforceGmek ? "FullyRestricted" : "NotRestricted";
+ string expectedGmek = enforceCmek ? "FullyRestricted" : "NotRestricted";
+ string expectedCsek = (enforceCmek || enforceGmek || restrictCsek) ? "FullyRestricted" : "NotRestricted";
+
+ Assert.Multiple(() =>
+ {
+ Assert.Equal(expectedCmek, bucket.Encryption.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
+ Assert.Equal(expectedCsek, bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
+ Assert.Equal(expectedGmek, bucket.Encryption.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);
+
+ if (enforceCmek) Assert.Equal(keyName, bucket.Encryption.DefaultKmsKeyName);
+ });
+ }
+}
diff --git a/storage/api/Storage.Samples/BucketGetEncryptionEnforcementConfig.cs b/storage/api/Storage.Samples/BucketGetEncryptionEnforcementConfig.cs
new file mode 100644
index 00000000000..062acd829c6
--- /dev/null
+++ b/storage/api/Storage.Samples/BucketGetEncryptionEnforcementConfig.cs
@@ -0,0 +1,60 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_get_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketGetEncryptionEnforcementConfigSample
+{
+ ///
+ /// Get the encryption enforcement configuration for the bucket.
+ ///
+ /// The name of the bucket.
+ public Bucket.EncryptionData BucketGetEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name")
+ {
+ var storage = StorageClient.Create();
+ var bucket = storage.GetBucket(bucketName);
+ Console.WriteLine($"Encryption Enforcement Configuration for bucket {bucketName} is as follows:");
+
+ if (bucket.Encryption == null)
+ {
+ Console.WriteLine("No Encryption Configuration is found (Default GMEK is active)");
+ return bucket.Encryption;
+ }
+
+ var gmConfig = bucket.Encryption.GoogleManagedEncryptionEnforcementConfig;
+ if (gmConfig != null)
+ {
+ Console.WriteLine($"Google Managed (GMEK) Enforcement Restriction Mode: {gmConfig.RestrictionMode}");
+ Console.WriteLine($"Google Managed (GMEK) Enforcement Effective Time: {gmConfig.EffectiveTimeRaw}");
+ }
+ var cmConfig = bucket.Encryption.CustomerManagedEncryptionEnforcementConfig;
+ if (cmConfig != null)
+ {
+ Console.WriteLine($"Customer Managed (CMEK) Enforcement Restriction Mode: {cmConfig.RestrictionMode}");
+ Console.WriteLine($"Customer Managed (CMEK) Enforcement Effective Time: {cmConfig.EffectiveTimeRaw}");
+ }
+ var csConfig = bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig;
+ if (csConfig != null)
+ {
+ Console.WriteLine($"Customer Supplied (CSEK) Enforcement Restriction Mode: {csConfig.RestrictionMode}");
+ Console.WriteLine($"Customer Supplied (CSEK) Enforcement Effective Time: {csConfig.EffectiveTimeRaw}");
+ }
+ return bucket.Encryption;
+ }
+}
+// [END storage_get_encryption_enforcement_config]
diff --git a/storage/api/Storage.Samples/BucketRemoveAllEncryptionEnforcementConfig.cs b/storage/api/Storage.Samples/BucketRemoveAllEncryptionEnforcementConfig.cs
new file mode 100644
index 00000000000..9af55630ba8
--- /dev/null
+++ b/storage/api/Storage.Samples/BucketRemoveAllEncryptionEnforcementConfig.cs
@@ -0,0 +1,51 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_remove_all_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketRemoveAllEncryptionEnforcementConfigSample
+{
+ ///
+ /// Remove all encryption enforcement configurations from the bucket.
+ ///
+ /// The name of the bucket.
+ public Bucket BucketRemoveAllEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name")
+ {
+ var storage = StorageClient.Create();
+ var bucket = storage.GetBucket(bucketName);
+
+ if (bucket.Encryption is null
+ || (bucket.Encryption.CustomerManagedEncryptionEnforcementConfig is null
+ && bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig is null
+ && bucket.Encryption.GoogleManagedEncryptionEnforcementConfig is null))
+ {
+ Console.WriteLine($"No Encryption Enforcement Configuration found for bucket {bucketName}");
+ return bucket;
+ }
+
+ bucket.Encryption = new Bucket.EncryptionData
+ {
+ DefaultKmsKeyName = bucket.Encryption.DefaultKmsKeyName
+ };
+
+ bucket = storage.UpdateBucket(bucket);
+ Console.WriteLine($"The Encryption Enforcement Configuration has been removed from the bucket {bucketName}");
+ return bucket;
+ }
+}
+// [END storage_remove_all_encryption_enforcement_config]
diff --git a/storage/api/Storage.Samples/BucketSetEncryptionEnforcementConfig.cs b/storage/api/Storage.Samples/BucketSetEncryptionEnforcementConfig.cs
new file mode 100644
index 00000000000..885f0264f66
--- /dev/null
+++ b/storage/api/Storage.Samples/BucketSetEncryptionEnforcementConfig.cs
@@ -0,0 +1,82 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_set_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketSetEncryptionEnforcementConfigSample
+{
+ ///
+ /// Set the encryption enforcement configuration for a bucket.
+ ///
+ /// The name of the bucket.
+ ///
+ /// The full resource name of the Cloud KMS key (CMEK).
+ /// Required if is true.
+ ///
+ /// If true, enforces Customer-Managed Encryption Key.
+ /// If true, enforces Google-Managed Encryption Key.
+ /// If true, restricts Customer-Supplied Encryption Key.
+ public Bucket SetBucketEncryptionEnforcementConfig(
+ string bucketName = "your-unique-bucket-name",
+ string kmsKeyName = null,
+ bool enforceCmek = false,
+ bool enforceGmek = false,
+ bool restrictCsek = false)
+ {
+ var storage = StorageClient.Create();
+ var bucket = storage.GetBucket(bucketName);
+
+ if (bucket.Encryption == null)
+ {
+ bucket.Encryption = new Bucket.EncryptionData();
+ }
+
+ if (!string.IsNullOrEmpty(kmsKeyName))
+ {
+ bucket.Encryption.DefaultKmsKeyName = kmsKeyName;
+ Console.WriteLine($"Default Key Set: {kmsKeyName}");
+ }
+ else
+ {
+ bucket.Encryption.DefaultKmsKeyName = null;
+ Console.WriteLine("Default Key Set: None");
+ }
+
+ string cmek = enforceGmek ? "FullyRestricted" : "NotRestricted";
+ string gmek = enforceCmek ? "FullyRestricted" : "NotRestricted";
+ string csek = (enforceCmek || enforceGmek || restrictCsek) ? "FullyRestricted" : "NotRestricted";
+
+ string message = enforceCmek ? "CMEK-only enforcement policy"
+ : enforceGmek ? "GMEK-only enforcement policy"
+ : restrictCsek ? "policy to restrict CSEK"
+ : null;
+
+ bucket.Encryption.CustomerManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerManagedEncryptionEnforcementConfigData { RestrictionMode = cmek };
+ bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerSuppliedEncryptionEnforcementConfigData { RestrictionMode = csek };
+ bucket.Encryption.GoogleManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.GoogleManagedEncryptionEnforcementConfigData { RestrictionMode = gmek };
+
+ if (message != null)
+ {
+ Console.WriteLine($"Bucket {bucketName} updated with {message}");
+ }
+
+ var updatedBucket = storage.UpdateBucket(bucket);
+ return updatedBucket;
+ }
+}
+// [END storage_set_encryption_enforcement_config]