This page describes using CMEK with Apigee.
Overview
By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).
You can read more about using CMEK for Apigee in Using CMEK with Apigee. For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.
Using customer-managed encryption keys (CMEK) doesn't necessarily provide more security than Google's default encryption mechanisms; however, it gives you control over more aspects of the lifecycle and management of your keys in order to meet security and compliance requirements.
Benefits of CMEK
If you need more control over key operations than what Google-managed encryption keys allows, you can use customer-managed encryption keys. These keys are created and managed using Cloud Key Management Service (Cloud KMS), and you store the keys as software keys, in an HSM cluster, or externally.
Key management features are provided by the Cloud KMS service. Common use cases include:
- Rotating the key. Automatically or manually rotate the key. Note that when the key is rotated, data previously stored in Apigee is not automatically re-encrypted with the new key version, but will continue to be accessible as long as the previous key version used to encrypt the data is not disabled or destroyed.
- Enabling or disabling a key version. When a key version is disabled, Apigee data encrypted with that key version will not be accessible. To restore access to the data, the key can be re-enabled.
- Destroying a key version. When a key version is destroyed, any Apigee data encrypted with that key version will become unreadable and unrecoverable. This is a permanent and irreversible operation.
-
Revoking the Apigee service agent's access to the key using IAM. If this is done, Apigee will be unable to access any control plane data encrypted by any key version. Apigee API operations that depend on decrypting the data will fail. Access to the data may be restored by re-granting access to the key and Apigee API operations that decrypt the data will be restored.
Quotas
Using CMEK keys can generate usage against some Cloud KMS quotas. For the latest information about Cloud KMS quotas, see Quotas.
Revoke encryption key
If you believe your data on Apigee in Google Cloud is compromised, you can revoke your encryption keys. Revoke the runtime CMEK to make your runtime instance malfunction and unable to access your gateway data. Revoke the control plane CMEK to make Apigee unable to perform analytics work or deploy new proxies.
Using CMEK with Apigee
Apigee encryption keys are used for runtime and control plane data and are created during the provisioning process.
Apigee control plane data is encrypted using a different encryption key than runtime data, and it may be stored in different regions. As per the CMEK documentation, this encryption applies only to data at rest, that is, data that is ultimately stored on disk.
Apigee control plane data includes proxy configurations (bundles), some environment configuration data, and analytics data. Apigee runtime data includes application data such as KVMs, cache, and client secrets, which is then stored in the runtime database.
See About the Apigee encryption keys for descriptions of the types of encryption keys.
You can add encryption keys only at the time of Apigee organization creation; once a CMEK is assigned, you cannot change to a different CMEK after org creation.
Data residency control plane CMEK regions
In the regionalized Apigee control plane, you select two encryption keys for your control plane. This is because some of the components underlying the Apigee control plane are always in a single-region within the control plane location. See Data residency regions for more information.
| Details | Required keys |
|---|---|
|
The control plane region is the where the control plane runs. Control plane in Apigee is an abstract concept where multiple underlying components together constitute the Apigee control plane. Control plane data is proxy configuration and analytics storage. Other control plane data (e.g., analytics processing, portals) is in a sub-region of the control plane. All sub-region components will be in the same region as each other. |
One key for control plane data. One key for control plane sub-region data. |
How to create encryption keys
By default, Google manages the creation of encryption keys during the provisioning process; however, you can create them yourself. For more information, see About the Apigee encryption keys.
Risks and mitigations
This section describes potential threats and actions you can take.
- Risks:
- Key compromise: Occurs when an attacker gains access to the encryption key, potentially through vulnerabilities in the KMS or attacks against key administrators.
- Denial of service: An attacker could disrupt access to encryption keys or data by attacking the KMS or storage system.
- Loss of key: Accidental key deletion or loss could lead to data loss or inaccessibility.
- Mitigations:
- Implement strong access control and key management policies.
- Monitor KMS logs and activity for suspicious behavior.
Troubleshooting
The following table describes some common error conditions that may arise with the CMEK- encrypted configstore data, the approximate error message returned by the Apigee API, and the recommended troubleshooting steps.
| Error message/symptom | Cause | Steps to take |
|---|---|---|
Apigee does not have permission to access key "..."
|
A user has revoked Apigee's access to the provided KMS key, i.e.,
by removing the
roles/cloudkms.cryptoKeyEncrypterDecrypter role.
|
A user should check the configured roles on the KMS key and ensure that the Apigee service agent has the necessary permissions. |
Unable to encrypt/decrypt data. Cloud KMS Error: "..." is not
enabled, current state is: DESTROYED.
|
A user has disabled or deleted the key version used to encrypt/decrypt the requested piece of data. | A user should re-enable the key version if possible. If the key or key version has been destroyed, data is unrecoverable (by design). |
No new Analytics data for US/EU users
|
One of the possible causes of this issue can be a user revoked/disabled/deleted single region key. | A user should re-enable/restore single region key access. |
Control plane key "..." in region "..." is not valid for this
control plane instance. Supported region(s) are "…".
|
A user has provided a single region control plane key in a region that is not valid or supported for the region or multi-region served by the instance of the control plane. | A user must either provide a key in one of the supported regions or choose to use a different control plane instance. |
Multi-region control plane key is not valid for this control
plane instance. Specify only the "apiConsumerDataEncryptionKeyName"
field.
|
A user has provided a multi-region control plane key in a control plane that exists only in a single region (i.e. is not a multi-regional control plane). | A user must either omit the multi-regional key field or choose to use a multi-regional control plane instance. |
Multi-region control plane key is not valid for this control
plane instance. Specify a multi-region key with region "..."
|
A user has provided a multi-region control plane key to the wrong multi-regional control plane instance (e.g. a "us" key to the "eu" control plane instance) | A user must either use a multi-regional key in the correct multi-region or choose to use a different multi-regional control plane instance. |