diff --git a/google/_modules/gke/cluster.tf b/google/_modules/gke/cluster.tf
index 10443c53..4ab75c92 100644
--- a/google/_modules/gke/cluster.tf
+++ b/google/_modules/gke/cluster.tf
@@ -25,6 +25,14 @@ resource "google_container_cluster" "current" {
     }
   }
 
+  dynamic "database_encryption" {
+    for_each = var.cluster_database_encryption_key_name != null ? toset([1]) : toset([])
+    content {
+      state = "ENCRYPTED"
+      key_name = var.cluster_database_encryption_key_name
+    }
+  }
+
   #
   #
   # Addon config
diff --git a/google/_modules/gke/variables.tf b/google/_modules/gke/variables.tf
index 3d58b5ef..113fef36 100644
--- a/google/_modules/gke/variables.tf
+++ b/google/_modules/gke/variables.tf
@@ -173,3 +173,8 @@ variable "enable_tpu" {
   description = "Whether to enable GKE cloud TPU support."
   type        = bool
 }
+
+variable "cluster_database_encryption_key_name" {
+  type        = string
+  description = "Cloud KMS key name for enabling cluster database encryption."
+}
diff --git a/google/cluster/configuration.tf b/google/cluster/configuration.tf
index aba483ef..a53a7a83 100644
--- a/google/cluster/configuration.tf
+++ b/google/cluster/configuration.tf
@@ -60,6 +60,8 @@ locals {
   cluster_ipv4_cidr_block = lookup(local.cfg, "cluster_ipv4_cidr_block", null)
   services_ipv4_cidr_block = lookup(local.cfg, "services_ipv4_cidr_block", null)
 
+  cluster_database_encryption_key_name = lookup(local.cfg, "cluster_database_encryption_key_name", false)
+
   # by default include cloud_nat when private nodes are enabled
   enable_cloud_nat                       = lookup(local.cfg, "enable_cloud_nat", local.enable_private_nodes)
   cloud_nat_endpoint_independent_mapping = lookup(local.cfg, "cloud_nat_enable_endpoint_independent_mapping", null)
diff --git a/google/cluster/main.tf b/google/cluster/main.tf
index 2b2ef6b8..d4168d44 100644
--- a/google/cluster/main.tf
+++ b/google/cluster/main.tf
@@ -63,6 +63,8 @@ module "cluster" {
   disable_workload_identity     = local.disable_workload_identity
   node_workload_metadata_config = local.node_workload_metadata_config
 
+  cluster_database_encryption_key_name = local.cluster_database_encryption_key_name
+
   enable_intranode_visibility = local.enable_intranode_visibility
   enable_tpu                  = local.enable_tpu
 }