Create and obtaining a CMEK key

If you use customer-managed encryption keys (CMEK) to encrypt your Assured Workloads resources, this page shows you how to create and obtain those keys. Learn more about Assured Workloads encryption options.

Before you begin

  1. Choose an encryption strategy.

  2. Create an Assured Workloads folder for the desired compliance program.

  3. Select the project ID for the project that contains your Assured Workloads CMEK keys. If you chose IL4 or CJIS as a compliance program, then, by default, this project is created for you.

Create the key

To create the CMEK key, do the following:

  1. In the Google Cloud console, go to Cryptographic Keys page:

    Go to Cryptographic Keys

  2. Select the Assured Workloads CMEK project. By default, this project ID starts with cmek-.

  3. Click your key ring.

  4. Click Create Key.

  5. From the What type of key do you want to create? list, select Generated key.

  6. In Key name enter the key name.

  7. From the Protection level list, select Software.

  8. From the Purpose list, select Symmetric encryption/decryption.

  9. From the Rotation period list, select 90 days.

  10. Optional: To add a label, do the following:

    1. Click Add a label.
    2. Enter a key in the Key text field.
    3. Enter a value in the Value text field.
  11. Click Create.

Obtain your CMEK key resource ID

  1. In Google Cloud console, in the Project Selector, select the project ID for the project that contains your CMEK keys. By default, if Assured Workloads creates this project, it prepends the project ID cmek-.
  2. In Security, go to Cryptographic Keys:

    Go to Cryptographic Keys

  3. Under Key rings, click the key ring name.

  4. In Key ring details, in the Keys tab, click the name of the key.

  5. Click the More icon to the right of the key name.

  6. Click Copy Resource Name.

    The resource string is formatted as follows:

     projects/SECURITY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
    

What's next