diff --git a/mmv1/products/compute/RegionDisk.yaml b/mmv1/products/compute/RegionDisk.yaml
index 6ca8d52ee24d..cd30be547812 100644
--- a/mmv1/products/compute/RegionDisk.yaml
+++ b/mmv1/products/compute/RegionDisk.yaml
@@ -59,8 +59,10 @@ iam_policy:
     - '{{name}}'
 custom_code:
   encoder: 'templates/terraform/encoders/disk.tmpl'
+  update_encoder: 'templates/terraform/update_encoder/disk.go.tmpl'
   decoder: 'templates/terraform/decoders/disk.tmpl'
   pre_delete: 'templates/terraform/pre_delete/detach_disk.tmpl'
+  # validation: 'templates/terraform/validation/compute_region_disk.go.tmpl'
 custom_diff:
   - 'customdiff.ForceNewIfChange("size", IsDiskShrinkage)'
   - 'hyperDiskIopsUpdateDiffSuppress'
@@ -72,6 +74,14 @@ examples:
       region_disk_name: 'my-region-disk'
       disk_name: 'my-disk'
       snapshot_name: 'my-snapshot'
+  - name: 'region_disk_disk_encryption_key_wo'
+    primary_resource_id: 'regiondisk'
+    primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
+    vars:
+      region_disk_name: 'my-region-disk'
+      raw_key_data: 'write_only_key'
+      disk_name: 'my-disk'
+      snapshot_name: 'my-snapshot'
   - name: 'region_disk_async'
     primary_resource_id: 'primary'
     primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
@@ -132,6 +142,16 @@ properties:
           Specifies a 256-bit customer-supplied encryption key, encoded in
           RFC 4648 base64 to either encrypt or decrypt this resource.
         sensitive: true
+        conflicts:
+          - 'disk_encryption_key.0.rawKeyWo'
+      - name: 'rawKeyWo'
+        type: String
+        description: |
+          Specifies a 256-bit customer-supplied encryption key, encoded in
+          RFC 4648 base64 to either encrypt or decrypt this resource.
+        write_only: true
+        conflicts:
+          - 'disk_encryption_key.0.rawKey'
       - name: 'sha256'
         type: String
         description: |
diff --git a/mmv1/templates/terraform/encoders/disk.tmpl b/mmv1/templates/terraform/encoders/disk.tmpl
index 51901dcbf237..dcc1dcdcc630 100644
--- a/mmv1/templates/terraform/encoders/disk.tmpl
+++ b/mmv1/templates/terraform/encoders/disk.tmpl
@@ -50,5 +50,11 @@ if v, ok := d.GetOk("image"); ok {
 	obj["sourceImage"] = imageUrl
 	log.Printf("[DEBUG] Image name resolved to: %s", imageUrl)
 }
-
+{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
+if rawKey, _ := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rawKey")); !rawKey.IsNull() {
+	obj["diskEncryptionKey"] = map[string]interface{}{
+		"rawKey": rawKey.AsString(),
+	}
+}
+{{- end }}
 return obj, nil
diff --git a/mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl b/mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl
new file mode 100644
index 000000000000..9badb2207b7d
--- /dev/null
+++ b/mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl
@@ -0,0 +1,26 @@
+resource "google_compute_region_disk" "regiondisk" {
+  name                      = "{{index $.Vars "region_disk_name"}}"
+  snapshot                  = google_compute_snapshot.snapdisk.id
+  type                      = "pd-ssd"
+  region                    = "us-central1"
+  physical_block_size_bytes = 4096
+
+  replica_zones = ["us-central1-a", "us-central1-f"]
+}
+
+resource "google_compute_disk" "disk" {
+  name  = "{{index $.Vars "disk_name"}}"
+  image = "debian-cloud/debian-11"
+  size  = 50
+  type  = "pd-ssd"
+  zone  = "us-central1-a"
+  disk_encryption_key = {
+    raw_key_wo = "{{index $.Vars "raw_key_data"}}"
+  }
+}
+
+resource "google_compute_snapshot" "snapdisk" {
+  name        = "{{index $.Vars "snapshot_name"}}"
+  source_disk = google_compute_disk.disk.name
+  zone        = "us-central1-a"
+}
diff --git a/mmv1/templates/terraform/update_encoder/disk.go.tmpl b/mmv1/templates/terraform/update_encoder/disk.go.tmpl
new file mode 100644
index 000000000000..8b9f8f3a9722
--- /dev/null
+++ b/mmv1/templates/terraform/update_encoder/disk.go.tmpl
@@ -0,0 +1,8 @@
+{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
+if rawKey, _ := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rawKey")); !rawKey.IsNull() {
+	obj["diskEncryptionKey"] = map[string]interface{}{
+		"rawKey": rawKey.AsString(),
+	}
+}
+{{- end }}
+return obj, nil
\ No newline at end of file
diff --git a/mmv1/templates/terraform/validation/compute_region_disk.go.tmpl b/mmv1/templates/terraform/validation/compute_region_disk.go.tmpl
new file mode 100644
index 000000000000..df57303d2868
--- /dev/null
+++ b/mmv1/templates/terraform/validation/compute_region_disk.go.tmpl
@@ -0,0 +1 @@
+validation.PreferWriteOnlyAttribute(cty.GetAttrPath("disk_encryption_key").IndexAt(0).GetAttr("rawKey"),cty.GetAttrPath("disk_encryption_key_wo").IndexAt(0).GetAttr("rawKeyWo"))
diff --git a/mmv1/templates/tgc/resource_converter.go.tmpl b/mmv1/templates/tgc/resource_converter.go.tmpl
index f99fc72656f6..2fc82a1d8c0c 100644
--- a/mmv1/templates/tgc/resource_converter.go.tmpl
+++ b/mmv1/templates/tgc/resource_converter.go.tmpl
@@ -44,6 +44,7 @@ import (
   "github.com/hashicorp/terraform-plugin-sdk/v2/helper/logging"
   "google.golang.org/api/bigtableadmin/v2"
   "google.golang.org/api/googleapi"
+  "github.com/hashicorp/go-cty/cty"
 
   "github.com/GoogleCloudPlatform/terraform-google-conversion/v5/tfplan2cai/converters/google/resources/cai"
   "github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_region_disk_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_region_disk_test.go.tmpl
index d5d223384eba..7e09395310af 100644
--- a/mmv1/third_party/terraform/services/compute/resource_compute_region_disk_test.go.tmpl
+++ b/mmv1/third_party/terraform/services/compute/resource_compute_region_disk_test.go.tmpl
@@ -108,6 +108,50 @@ func TestAccComputeRegionDisk_basicUpdate(t *testing.T) {
 	})
 }
 
+func TestAccComputeRegionDisk_diskEncryptionKeyWoUpdated(t *testing.T) {
+	t.Parallel()
+
+	diskName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	var disk compute.Disk
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionDiskDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionDisk_diskEncryptionKeyWo(diskName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeRegionDiskExists(
+						t, "google_compute_region_disk.regiondisk", &disk),
+				),
+			},
+			{
+				ResourceName:      "google_compute_region_disk.regiondisk",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+			{
+				Config: testAccComputeRegionDisk_diskEncryptionKeyWoUpdated(diskName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeRegionDiskExists(
+						t, "google_compute_region_disk.regiondisk", &disk),
+					testAccCheckRegionDiskEncryptionKey("google_compute_region_disk.regiondisk", &disk),
+					testAccCheckComputeRegionDiskHasLabelFingerprint(&disk, "google_compute_region_disk.regiondisk"),
+				),
+			},
+			{
+				ResourceName:      "google_compute_region_disk.regiondisk",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
 func TestAccComputeRegionDisk_encryption(t *testing.T) {
 	t.Parallel()
 
@@ -412,6 +456,68 @@ resource "google_compute_region_disk" "regiondisk" {
 `, diskName, diskName, diskName, refSelector)
 }
 
+func testAccComputeRegionDisk_diskEncryptionKeyWo(diskName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_disk" "disk" {
+  name  = "%s"
+  image = "debian-cloud/debian-11"
+  size  = 50
+  type  = "pd-ssd"
+  zone  = "us-central1-a"
+}
+
+resource "google_compute_snapshot" "snapdisk" {
+  name = "%s"
+  zone = "us-central1-a"
+
+  source_disk = google_compute_disk.disk.name
+}
+
+resource "google_compute_region_disk" "regiondisk" {
+  name     = "%s"
+  snapshot = google_compute_snapshot.snapdisk.self_link
+  type     = "pd-ssd"
+
+  replica_zones = ["us-central1-a", "us-central1-f"]
+
+  disk_encryption_key {
+    raw_key_wo = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
+  }
+}
+`, diskName, diskName, diskName)
+}
+
+func testAccComputeRegionDisk_diskEncryptionKeyWoUpdated(diskName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_disk" "disk" {
+  name  = "%s"
+  image = "debian-cloud/debian-11"
+  size  = 50
+  type  = "pd-ssd"
+  zone  = "us-central1-a"
+}
+
+resource "google_compute_snapshot" "snapdisk" {
+  name = "%s"
+  zone = "us-central1-a"
+
+  source_disk = google_compute_disk.disk.name
+}
+
+resource "google_compute_region_disk" "regiondisk" {
+  name     = "%s"
+  snapshot = google_compute_snapshot.snapdisk.self_link
+  type     = "pd-ssd"
+
+  replica_zones = ["us-central1-a", "us-central1-f"]
+
+  disk_encryption_key {
+    raw_key_wo = "DDFEFG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
+  }
+}
+`, diskName, diskName, diskName)
+}
+
 func testAccComputeRegionDisk_encryption(diskName string) string {
 	return fmt.Sprintf(`
 resource "google_compute_disk" "disk" {