Set up customer-managed encryption keys

Last reviewed 2023-06-08 UTC

Cloud Volumes Service (CVS) always encrypts your data with volume-specific keys. With customer-managed encryption keys (CMEK), the volume keys are wrapped using keys supplied by Cloud Key Management Service (KMS). This further protects your data from being read if the underlying storage devices experience unauthorized physical access. This feature gives you control over the encryption keys used and the added security of storing the keys on a system or in a location different from the data. CVS supports Cloud KMS capabilities such as hardware security modules (HSMs), External Key Manager (EKM), and the full key management lifecycle (generate, use, rotate, destroy).

Using customer-managed encryption keys is optional.

Considerations

The following sections include limitations for customer-managed encryption keys to consider.

Key management

Using customer-managed encryption keys makes you solely responsible for managing your keys and your data.

KMS configurations

You can create KMS configurations in a project with existing volumes or in a new project.

For existing volumes, Cloud Volumes Service has an API that you can use to migrate KMS configurations to use the KMS keys rather than keys wrapped by keys from the Onboard Key Manager. The migration runs in the background with no disruption to data access. The encryption type is updated in the volume details as each volume completes migration. If migration doesn't complete for some volumes, you can run the migration again.

For migration assistance, contact your NetApp account team or open a support case with Google. For more information, see Obtain support for NetApp Cloud Volumes Service.

  • CMEK is available for new volumes of the CVS-Performance service type, as described in the previous point. Existing volumes continue to use keys wrapped by keys from the Onboard Key Manager.

  • CMEK uses symmetric keys for encryption and decryption.

  • CMEK works with Cloud KMS keys associated with your customer project. If you don't specify a key ring project ID, Cloud Volumes Service looks for keys in the current project.

  • After Cloud KMS is configured, you can't change the name or location of the key ring. You can't rekey your volumes with a different key or the default Onboard Key Manager.

  • A Cloud KMS configuration is needed for each region that you use Cloud KMS for your volumes. The Cloud KMS configurations may use the same or different key ring and key, and may use the same VPC network.

  • As part of the configuration process, you need to create a Cloud KMS role and assign it to the Cloud Volumes Service service account so that it can access the key ring.

    • Creating the role is required once for each project.

    • Assigning the role to the service account is required for each region being configured for CMEK.

  • After all volumes are deleted in a region for a project, the Cloud KMS configuration returns to a created state. It is used again when the next volume is created in that region, or it can be deleted using the API.

Create a Cloud KMS configuration

  1. In the Google Cloud console, go to the Project settings page.

    Go to Project settings

  2. Select the KMS tab, and then click Create.

  3. Select the VPC network name for the VPC network that you'll be using with the volumes.

    To select a Shared VPC network with your service project, click Shared VPC configuration and then select the host project name and the Shared VPC network name.

    If no VPCs appear, see the Cloud Volumes Service FAQ for what to do if you can't see your VPCs in the Cloud Volumes Service user interface.

  4. Click Continue.

  5. Enter the CVS region for your volumes, the location of the key ring, the key ring project ID, the key ring, and key name. Verify that all of these fields are correct, and then click Save.

    It takes 10-15 seconds to create the CVS Cloud KMS configuration. When the configuration is complete, the status symbol turns green and the View commands button is enabled for the configuration. You may need to refresh the page until this the configuration is shown as complete.

  6. Click View commands.

  7. From the dialog, copy and paste the Create role and Assign Custom role to SA commands and run them in the Cloud Shell. The first command creates the Cloud KMS role; the second command uses the role to give the CVS service account access to the Cloud KMS key.

  8. To verify that CVS can communicate with the key, click Test config.

When the configuration is ready, it is used to key new CVS volumes.

For more information, see the Cloud Key Management Service documentation.

What's next