This page describes the use of customer-managed encryption keys (CMEK) to manage Google Cloud NetApp Volumes.
About CMEK
NetApp Volumes always encrypts your data with volume-specific keys. NetApp Volumes always encrypts your data at rest.
With CMEK, Cloud Key Management Service wraps your stored volume keys. This feature gives you greater control over the encryption keys you use and the added security of storing the keys on a system or in a location different from the data. NetApp Volumes supports Cloud Key Management Service capabilities such as hardware security modules, Cloud External Key Manager, and the full key management lifecycle of generate, use, rotate, and destroy.
NetApp Volumes supports one CMEK policy per region. A CMEK policy attaches to a storage pool and all volumes created in that pool use it. You can have a mix of storage pools with and without CMEK policies in a region. If you have pools without CMEK in a specific region, you can convert them to CMEK by using the migration action of a region's CMEK policy.
The use of CMEK is optional. If used, CMEK policies are region-specific. You can only configure one policy per region.
Considerations
The following sections include limitations for CMEK to consider.
Key management
Using CMEK makes you solely responsible for your keys and your data.
Cloud KMS configurations
CMEK uses symmetric keys for encryption and decryption.
After all volumes are deleted in a region for a project, the Cloud KMS
configuration returns to a Ready created state. It's used again when
you create the next volume in that region. You can also delete it using the
API.
Regional key rings
NetApp Volumes only supports regional KMS key rings and they need to reside in the same region as the CMEK policy.