If you use customer-managed encryption keys (CMEK) to encrypt your Assured Workloads resources, this page shows you how to create and obtain those keys. Learn more about Assured Workloads encryption options.
Before you begin
You must be a project owner, an org admin, or have security access to the project. For first-time users, see Get started with Assured Workloads.
Choose a compliance regime and encryption strategy.
Create a project in the Assured Workloads environment that supports your compliance regime, as follows:
Select the project ID for the project that contains your Assured Workloads CMEK keys. If you chose IL4 (Preview) or CJIS as a compliance regime, then, by default, this project starts with
Create the key
To create the CMEK key, do the following:
In Google Cloud Console, go to Cryptographic Keys:
Select the Assured Workloads CMEK project. By default, this project ID starts with
Click your key ring.
Click Create Key.
In the What type of key do you want to create? drop-down list, select Generated key.
In Key name enter the key name.
In the Protection level drop-down list, select Software.
In the Purpose drop-down list, select Symmetric encryption/decryption.
In the Rotation period drop-down list, select 90 days.
Optional: To add a label, do the following:
- Click Add a label.
- Enter a key in the Key text field.
- Enter a value in the Value text field.
You see that the key was created.
Obtain your CMEK key resource ID
- In Google Cloud Console, in the Project Selector, select the project ID
for the project that contains your CMEK keys. By default, if
Assured Workloads creates this project, it prepends the project ID
In Security, go to Cryptographic Keys:
Under Key rings, click the key ring name.
In Key ring details, in the Keys tab, click the name of the key.
Click the more_vertMore icon to the right of the key name.
Click Copy Resource Name.
The resource string is formatted as follows:
- Learn how to encrypt Cloud Storage using CMEK.
- Learn how to encrypt Persistent Disk using CMEK.
- Learn how to encrypt BigQuery using CMEK.