Encrypt data with customer-managed encryption keys

This page shows you how to encrypt the data on your Filestore instances and backups using your own encryption keys.

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google Cloud. If you need more control over the keys that protect your data, you can use customer-managed encryption keys for Filestore.

Customer-managed encryption key options

Cloud Key Management Service supports customer-managed encryption keys (CMEK) which can be stored as software keys, as hardware keys in an HSM cluster, or externally in Cloud External Key Manager (Cloud EKM). Several options are available.

For more information, see Cloud Key Management Service.

Cloud External Key Manager

Cloud EKM support for Filestore is now generally available (GA). For more information, see Cloud External Key Manager.

Disruptions to EKM service

By design, external keys are managed by a third-party; in these circumstances, Google Cloud is not responsible for key availability.

If the Cloud Key Management Service (Cloud KMS) is notified by the External Key Manager (EKM) that an external key is unreachable, users receive an ekm_key_unreachable_detected notification. For up to one hour, users have limited access to operations on the instance. After one hour, if the key status is unchanged, the following actions apply:

  • The key is disabled.
  • All encrypt and decrypt operations fail.
  • The Filestore instance is suspended.

In some cases, such as an unplanned event like a VM restart, access to the instance may be disrupted prior to one hour.

Unreachable key notifications can be viewed from the Filestore instance details page:

Go to the Filestore instances page

Users also receive ekm_key_unreachable_detected notifications on any of the following operations if performed within one hour of the first reported notification:

Supported tiers

The following table shows the Filestore service tiers that support customer-managed encryption keys:

Tier CMEK support
Basic HDD No
Basic SSD No
Zonal with a lower capacity range Yes
Zonal with a higher capacity range (previously high scale SSD) Yes
Enterprise Yes

Create a key ring and key to use with your instance

The key ring and key can be in a different project from the Filestore instance but they must be in the same location. If you already have a Cloud KMS key ring and key that you want to use with Filestore, skip to the next section. Otherwise, follow the instructions on Creating symmetric encryption keys to create a key ring and key.

Grant key access permission to the Filestore service account

Before you can create a Filestore instance that uses a customer-managed encryption key, the Filestore service account must have the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter).

  1. A Filestore service account is created the first time you create a Filestore instance in the project. If you don't already have a Filestore service account, run the following services identity create command:

    gcloud beta services identity create --service=file.googleapis.com --project=INSTANCE_PROJECT_NUMBER_OR_ID
    

    Replace INSTANCE_PROJECT_NUMBER_OR_ID with the project number or ID of the project where you want to create the Filestore instance.

  2. Assign the Filestore service account the Cloud KMS CryptoKey Encrypter/Decrypter role by running the projects add-iam-policy-binding command:

    gcloud projects add-iam-policy-binding KMS_PROJECT_NUMBER_OR_ID \
        --member serviceAccount:service-INSTANCE_PROJECT_NUMBER@cloud-filer.iam.gserviceaccount.com \
        --role roles/cloudkms.cryptoKeyEncrypterDecrypter
    

    Replace the following:

    • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project that contains the Cloud KMS key that you want to use.
    • INSTANCE_PROJECT_NUMBER with the project number (not the project ID) of the project where you want to create the Filestore instance.

Create an instance that uses your Cloud KMS key

Google Cloud console

To create an instance that uses your Cloud KMS key for data encryption:

  1. In the Google Cloud console, go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click Create Instance

  3. Select an instance tier that supports CMEKs and fill out all other required and optional fields as you normally would.

  4. Click Show advanced options.

  5. Select the Use a customer-managed encryption key (CMEK) checkbox.

  6. Select the Cloud KMS key that you want to use for the instance.

  7. Click Create.

gcloud CLI

To create a Filestore instance that uses your Cloud KMS key for data encryption, specify the --kms-key flag in the filestore instances create command:

gcloud filestore instances create nfs-server \
    --tier=<var>TIER</var> \
    --location=us-central1 \
    --file-share=name="vol1",capacity=1TiB \
    --network=name="default" \
    --kms-key=KMS_KEY

Replace the following:

  • TIER with a Filestore tier that supports customer-managed encryption keys.
  • KMS_KEY with the fully qualified name of the Cloud KMS key that you want to use. Alternatively, you can specify each argument separately in the format:
--kms-key=KMS_KEY : --kms-keyring=KEY_RING --kms-location=KMS_REGION --kms-project=KMS_PROJECT_NUMBER_OR_ID

Replace the following:

  • KMS_KEY with the name of the Cloud KMS key.
  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KMS_KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring. The key ring and instance must be located in the same region.

Get a list of keys

You can get a list of keys by running the kms keys list command:

gcloud kms keys list \
    --project=KMS_PROJECT_NUMBER_OR_ID \
    --keyring=KEY_RING \
    --location=KMS_REGION

Replace the following:

  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring.

The Name column of the output gives the fully qualified name of existing keys. For example:

projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key

Get instance key information

The following sections cover how to get instance key information.

List instances that use a particular Cloud KMS key

You can list Filestore instances that use a particular key by running the instances list command:

gcloud filestore instances list --filter="kmsKeyName=KMS_KEY"

Replace KMS_KEY with the fully qualified name of the key that you want to use.

Example:

gcloud filestore instances list \
    --filter="kmsKeyName=projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key"

The output looks like:

INSTANCE_NAME LOCATION    TIER       CAPACITY_GB FILE_SHARE_NAME IP_ADDRESS   STATE CREATE_TIME
nfs-server    us-central1 ENTERPRISE 1024        vol1            10.166.108.2 READY 2021-08-12T11:38:56

Get Cloud KMS key information for an instance

Use one of the following methods to get Cloud KMS key information for a Filestore instance:

Google Cloud console

  1. Go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click the instance ID to open the instance details page.

  3. Click the Overview tab.

If the instance encrypts data using a Cloud KMS key instead of a Google-managed encryption key, the key name is displayed in the Encryption key field.

gcloud CLI

Run the following instances describe command:

gcloud filestore instances describe INSTANCE_ID \
   --location=INSTANCE_LOCATION

Replace the following:

  • INSTANCE_ID with the instance ID of the Filestore instance that you want to get information about.
  • INSTANCE_LOCATION with the region or zone where the instance is located.

The output looks like:

createTime: '2021-08-12T11:38:56.851157387Z'
fileShares:
- capacityGb: '1024'
  name: vol1
kmsKeyName: projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key
labels:
  key: val
name: projects/consumer-project/locations/us-central1/instances/nfs-server
networks:
- ipAddresses:
  - 10.0.100.2
  modes:
  - MODE_IPV4
  network: network
  reservedIpRange: 10.166.108.0/23
state: READY
tier: ENTERPRISE

Disable or destroy a Cloud KMS key that's used by an instance

If a change in Cloud KMS key state is detected, the instance automatically stops serving data. Some examples include the following:

  • Disabling a key or key version.
  • Destroying a key or key version.
  • Modifying a key's permissions.

This detection typically happens within a few minutes of the change in key state, but in some cases can take up to one hour.

Once an instance is stopped, all access to file share data and any snapshots is blocked. Stopped instances continue to be billed until they're deleted.

Starting a stopped instance

If a stopped Filestore instance uses a Cloud KMS key for data encryption, all key versions of the key must be enabled or restored before restarting the instance.

Once the Cloud KMS key status is enabled, the instance will automatically detect key changes and restart without any additional action, typically within 20 minutes.

CMEK support for backup chains

You can use CMEKs to encrypt not only your Filestore instances but also your backup chains.

Backup chains reside in a single bucket and region. To store and encrypt backup data in a region outside of the source instance, users must apply two separate CMEKs: one for the instance and one for the backup chain. Some requirements apply:

  • A CMEK must reside in the same region as the backup chain it encrypts.

  • A single CMEK is applied to the bucket where the backup chain is stored and cannot be combined or replaced.

  • To create a backup using a new CMEK, the entire existing backup chain must first be deleted.

CMEK support is not available for basic-tier backups.

For more information, see Backups.

What's next