Managing customer-managed encryption keys with Cloud KMS
In this, we will learn and understand about managing customer-managed encryption keys with Cloud KMS.
Default encryption
- All Google Cloud data is secured at rest using the same robust key management mechanisms that we use for our own encrypted data. These key-management systems, on the other hand, provide tight key access restrictions and audits.
- Also, employ AES-256 encryption standards to encrypt user data at rest. There is no need for setup, configuration, or management.
- For customers who don’t have special needs for compliance or the location of cryptographic data, Google Cloud’s default encryption at rest is the best option.
Customer-managed encryption keys (CMEK)
Several Google Cloud services provide the option to safeguard data connected to those services using encryption keys owned by the client under Cloud KMS if you require additional control over the keys used to encrypt data at rest within a Google Cloud project. Customer-managed encryption keys are the name for these encryption keys (CMEK).
However, when you use CMEK to encrypt data in Google Cloud services, you have complete control over the CMEK key. Additionally, employing CMEK incurs extra Cloud KMS expenses. CMEK allows you additional control over your keys’ lifespan and administration, including (but not limited to) the following capabilities:
- Firstly, you can control Google’s ability to decrypt data at rest by disabling the keys used to protect that data.
- Secondly, you can protect your data using a key that meets specific locality or residency requirements.
- Thirdly, you can automatically or manually rotate the keys used to protect your data.
- Next, you can protect your data using a Cloud HSM key or a Cloud External Key Manager key, or an existing key that you import into Cloud KMS.
- Lastly, you can protect your data using a more strict encryption standard than AES-256.
CMEK integrations
A CMEK integration is present when a service supports CMEK. However, some systems, such as GKE, provide several CMEK connections to safeguard various sorts of data. Check out the steps below to activate CMEK:
- Firstly, you create or import a Cloud KMS key, selecting a location as geographically near as possible to the location of the service’s resources. The service and the key can be in the same project or different projects. This is the CMEK key.
- Secondly, you grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key to the service account for the service.
- Lastly, you configure the service to use the CMEK key to protect its data. For example, you can configure a GKE cluster to use CMEK to protect data at rest on the boot disks of the nodes.
CMEK compliance
- As an intermediary phase in a long-running activity, some services do not immediately store data or save data for just a limited amount of time. However, encrypting each write independently isn’t viable for this demand.
- These services do not provide CMEK connections, but they can provide CMEK compliance, frequently without requiring any configuration from you. A CMEK-compliant service also encrypts transient data with an ephemeral key that resides only in memory.
- The ephemeral key is flushed from memory when the temporary data is no longer required.
Reference: Google Documentation