Encrypting Disks with Customer-Supplied Encryption Keys

By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.

If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.

Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.

Before you begin

Specifications

Encryption

Compute Engine uses your encryption key to protect Google's encryption keys with AES-256 encryption.

Restrictions

There are some limitations and restrictions to using this feature:

General restrictions

Customer-supplied encryption keys are available only in the following countries:

  • Australia
  • Belgium
  • Canada
  • Columbia
  • Denmark
  • France
  • Finland
  • Germany
  • Ireland
  • Israel
  • Italy
  • Japan
  • Mexico
  • Netherlands
  • New Zealand
  • Norway
  • Sweden
  • Taiwan
  • United Kingdom (UK)
  • United States (US)

If your country is not on this list, you can request to add your country.

Technical restrictions

  • You can only encrypt new persistent disks with your own key. You cannot encrypt existing persistent disks with your own key.

  • You cannot use your own keys with local SSDs because local SSDs do not persist beyond the life of a virtual machine. Local SSDs are already protected with an ephemeral encryption key that Google does not retain.

  • Compute Engine does not store encryption keys with instance templates, so you cannot use your own keys to encrypt disks in a managed instance group.

Required key format

It is up to you to generate and manage your key. You must provide a key that is a 256-bit string encoded in RFC 4648 standard base64 to Compute Engine.

The following is an example of a base64 encoded key, generated with the string "Hello from Google Cloud Platform"

SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=

It can be generated using the following script:

read -sp "String:" ; [[ ${#REPLY} == 32 ]] && echo "$(echo -n "$REPLY" | base64)" || (>&2 echo -e "\nERROR:Wrong Size"; false)

RSA key wrapping

In addition to encoding your key in base64, you can optionally wrap your key using an RSA public key certificate provided by Google, encode the key in base64, and then use that key in your requests.

RSA wrapping is a process in which you use a public key to encrypt your data. After that data has been encrypted with the public key, it can only be decrypted by the respective private key. In this case, the private key is known only to Google Cloud Platform services. By wrapping your key using the RSA certificate, you ensure that only Google Cloud Platform services can unwrap your key and use it to protect your data.

For more information, see RSA encryption.

To create an RSA-wrapped key for Compute Engine you need to:

  1. Wrap your key using the public key provided in a certificate that Compute Engine manages. Make sure to wrap your key using OAEP padding, not PKCS #1 v1.5 padding.
  2. Encode your RSA-wrapped key using standard base64 encoding.

Download the public certificate maintained by Compute Engine from:

https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

There are many ways of generate and RSA-wrap your key; use a method that is familiar to you. The following are two examples of RSA-wrapping your key that you could use.

Example 1

The following instructions use the openssl command-line utility to RSA-wrap and encode a key.

  1. (Optional) Generate a 256-bit (32-byte) random key. If you already have a key you want to use, you can skip this step. There are many ways you can generate a key; the following is just an example of one way you could do so:

    $ head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' = > mykey.txt
    

  2. Download the public key certificate:

    $  curl -s -O -L https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

  3. Extract the public key from the certificate:

    $ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem
    

  4. RSA-wrap your key, making sure to replace mykey.txt with your own key file.

    $ openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.txt -out rsawrappedkey.txt
    

  5. Encode your RSA-wrapped key in base64.

    $ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrapencodedkey.txt
    

Example 2

The following is sample Python script that generates a 256-bit (32-byte) random string and creates a base64 encoded RSA-wrapped key using the cryptography library:

import argparse
import base64
import os

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
import requests


GOOGLE_PUBLIC_CERT_URL = (
    'https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem')


def get_google_public_cert_key():
    r = requests.get(GOOGLE_PUBLIC_CERT_URL)
    r.raise_for_status()

    # Load the certificate.
    certificate = x509.load_pem_x509_certificate(
        r.text.encode('utf-8'), default_backend())

    # Get the certicate's public key.
    public_key = certificate.public_key()

    return public_key


def wrap_rsa_key(public_key, private_key_bytes):
    # Use the Google public key to encrypt the customer private key.
    # This means that only the Google private key is capable of decrypting
    # the customer private key.
    wrapped_key = public_key.encrypt(
        private_key_bytes,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA1()),
            algorithm=hashes.SHA1(),
            label=None))
    encoded_wrapped_key = base64.b64encode(wrapped_key)
    return encoded_wrapped_key


def main(key_file):
    # Generate a new 256-bit private key if no key is specified.
    if not key_file:
        customer_key_bytes = os.urandom(32)
    else:
        with open(key_file, 'rb') as f:
            customer_key_bytes = f.read()

    google_public_key = get_google_public_cert_key()
    wrapped_rsa_key = wrap_rsa_key(google_public_key, customer_key_bytes)

    print('Base-64 encoded private key: {}'.format(
        base64.b64encode(customer_key_bytes).decode('utf-8')))
    print('Wrapped RSA key: {}'.format(wrapped_rsa_key.decode('utf-8')))


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description=__doc__,
        formatter_class=argparse.RawDescriptionHelpFormatter)
    parser.add_argument(
        '--key_file', help='File containing your binary private key.')

    args = parser.parse_args()

    main(args.key_file)

Your key is now ready to use!

Use a RSA-wrapped key

Using the gcloud command-line tool, you can provide a regular key and a RSA-wrapped key in the same way.

In the API, use the rsaEncryptedKey property instead of rawKey if you want to use a RSA-wrapped key instead.

Encrypting resources with the command-line tool

Setup

Encryption keys can be used through the gcloud command-line tool.

Download and install gcloud.

Key file

When you use the gcloud compute command-line tool to set your keys, you provide encoded keys using a key file that contains your encoded keys as a JSON list. A key file can contain multiple keys, allowing you to manage many keys in a single place. Alternatively, you can create single key files to handle each key separately. A key file is only usable with the gcloud tool. When using the API, you must supply the key directly in your request.

Each entry in your key file must provide:

  • The fully-qualified URI to the resource the key protects
  • The corresponding key
  • The type of key, either raw or rsa-encrypted

When you use the key file in your requests, the tool looks for matching resources and uses the respective keys. If no matching resources are found, the request will fail.

An example key file looks like this:

[
  {
  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/example-disk",
  "key": "acXTX3rxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY-c=",
  "key-type": "raw"
  },
  {
  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/my-private-snapshot",
  "key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  "key-type": "rsa-encrypted"
  }
]

Best practices for managing your key file

If you use a key file, you should restrict access to your file to only those who need it. Make sure to set appropriate permissions on these files and consider encrypting these files using additional tools:

Encrypt a new persistent disk with your own keys

You can encrypt a new persistent disk by supplying a key during instance or disk creation.

Console

  1. Go to the Disks page.

    Go to the Disks page

  2. Click New disk and enter the properties for the new disk.
  3. Under Encryption, select Customer Supplied from the drop-down menu.
  4. Provide the encryption key for the disk in the text box and select Wrapped key if the key has been wrapped with the public RSA key.

gcloud

In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud (beta) compute instances create example-instance --csek-key-file example-file.json

To encrypt a standalone persistent disk:

gcloud (beta) compute disks create example-disk --csek-key-file example-file.json

API

In the API, encrypt a disk using the diskEncryptionKey property and make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key. Provide one of the following properties in your request:

  • rawKey - If your key is just base64 encoded
  • rsaEncryptedKey- If your key is RSA-wrapped and base64 encoded

For example, to encrypt a new disk during instance creation with an RSA-wrapped key:

POST
https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/instances

{
"machineType": "zones/us-central1-a/machineTypes/n1-standard-1",
"disks": [
 {
  "type": "PERSISTENT",
  "diskEncryptionKey": {
    "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  },
  "initializeParams": {
   "sourceImage": "projects/debian-cloud/global/images/debian-7-wheezy-v20150423"
  },
  "boot": true
 }
],
...
}

Similarly, you can also use the API to create a new stand-alone persistent disk and encrypt it with your own key:

POST https://www.googleapis.com/compute/beta/projects/myproject/zones/
us-central1-a/disks?sourceImage=https%3A%2F%2Fwww.googleapis.com%2Fcompute%2F
alpha%2Fprojects%2Fdebian-cloud%2Fglobal%2Fimages%2Fdebian-7-wheezy-v20150320

{
 "name": "new-encrypted-disk-key",
 "diskEncryptionKey": {
   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  },
 "type": "zones/us-central1-a/diskTypes/pd-standard"
}

Create a snapshot from an encrypted disk

If you create a snapshot from an encrypted disk, the snapshot must also be encrypted. You must specify a key to encrypt the snapshot. You cannot convert encrypted disks or encrypted snapshots to use Compute Engine default encryption unless you create a completely new disk image and a new persistent disk.

Snapshots of encrypted disks are always full snapshots, which cost more to store than differential snapshots.

To create a persistent disk snapshot from an encrypted disk, your snapshot creation request must provide the encryption key that you used to encrypt the persistent disk.

Console

  1. Go to the Snapshots page.

    Go to the Snapshots page

  2. Click New snapshot.
  3. Under Source disk, choose the encrypted disk you want to create a snapshot of.
  4. Provide the encryption key for the disk in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
  5. Encrypt the new snapshot by supplying an additional encryption key under the Encryption section.

API

In the API, provide the sourceDiskEncryptionKey property to access the source persistent disk. You can also optionally encrypt the new snapshot using the snapshotEncryptionKey property.

Make request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.

POST https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk/createSnapshot

{
 "snapshotEncryptionKey":  {
   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
 },
 "sourceDiskEncryptionKey": {
   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  },
 "name": "snapshot-encrypted-disk"
}

The sourceDiskEncryptionKey property must match the key used to encrypt the persistent disk. Otherwise, the request will fail.

The optional snapshotEncryptionKey allows you to supply a key to encrypt the snapshot so that if the snapshot is used to create new persistent disks, a matching key must be provided. This key must follow the same key format described above. You can also choose to leave this property undefined and the snapshot can be used to create new persistent disks without requiring a key.

Create a new image from an encrypted disk

Console

  1. Go to the Images page page.

    Go to the Images page

  2. Click New image.
  3. Under Source disk, choose the encrypted disk you want to create an image of.
  4. Provide the encryption key for the disk in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
  5. Optionally, you can also encrypt the new image by supplying an encryption key under the Encryption section.

gcloud

Follow the instructions to create an image, and add the --csek-key-file flag. Use the gcloud beta component if you are using an RSA-wrapped key:

gcloud (beta) compute images create .... --csek-key-file example-file.json

If you want to encrypt the new image with your key as well, add the key to the key file, e.g.:

[
  {
  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/source-disk",
  "key": "acX3RqzxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY-c=",
  "key-type": "raw"
  },
  {
  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/the-new-image",
  "key": "TF0t-cSfl7CT7xRF1LTbAgi7U6XXUNC4zU_dNgx0nQc=",
  "key-type": "raw"
  }
]

API

Your API creation request must contain the sourceDiskEncryptionKey property, followed by either rawKey or rsaEncryptedKey. Make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key:

POST https://www.googleapis.com/compute/beta/projects/myproject/global/images

{
 "name": "image-encrypted-disk",
 "sourceDiskEncryptionKey": {
    "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  }
 "imageEncryptionKey": {
    "rsaEncryptedKey":  "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
    },
 "sourceDisk": "projects/myproject/zones/us-central1-a/disks/source-disks"
}

The optional imageEncryptionKey property allows you to supply a key to encrypt the image so when the image is used to create new persistent disks, a matching key must be provided. This key must follow the same key format described above. You can also choose to leave this property undefined and the image can be used to create new persistent disks without requiring a key.

Encrypt an imported image

You can encrypt a new image when you import a custom image to Compute Engine. Before you can import an image, you must create and compress a disk image file and upload that compressed file to Google Cloud Storage.

Import the custom Compute Engine image that you want to encrypt. Specify the URI to the compressed file and also specify a path to your encryption key file.

Console

  1. Go to the Images page page.

    Go to the Images page

  2. Click New image.
  3. Under Source type, choose Cloud Storage object.
  4. Under Encryption, choose customer supploed and provide the encryption key to encrypt the image in the text box.
  5. Enter the Cloud Storage URI in the Cloud Storage object path section.

gcloud

Use the compute images create command to create a new image, and specify the --csek-key-file flag with an encryption key file. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud (beta) compute images create [IMAGE_NAME] \
  --source-uri gs://[BUCKET_NAME]/[COMPRESSED_FILE] \
  --csek-key-file [KEY_FILE]

where:

  • [IMAGE_NAME] is a name for the new custom image.
  • [BUCKET_NAME] is the name of the Cloud Storage bucket that holds your compressed image file.
  • [COMPRESSED_FILE] is the name of the compressed image file.
  • [KEY_FILE] is the path to an encryption key file on your local workstation.

API

To encrypt a new image created from a RAW file, add the new imageEncryptionKey property to the image creation request, followed by either rawKey or rsaEncryptedKey. Make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.

POST https://www.googleapis.com/compute/beta/projects/myproject/global/images

{
"rawDisk": {
 "source": "http://storage.googleapis.com/example-image/example-image.tar.gz"
},
"name": "new-encrypted-image",
"sourceType": "RAW",
"imageEncryptionKey": {
  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  }
}

Create a persistent disk from an encrypted resource

Create a disk from an encrypted snapshot

Console

  1. Go to the Disks page.

    Go to the Disks page

  2. Click New disk.
  3. Under Source type, select Snapshot.
  4. Provide the encryption key for the snapshot in the text box and select Wrapped key if the key has been wrapped with the public RSA key.

gcloud

In the gcloud compute tool, provide the encryption key for the snapshot using the --csek-key-file flag when you create the disk. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud (beta) compute disks create ... --source-snapshot example-snapshot --csek-key-file example-file.json

API

To use an encrypted snapshot, supply the sourceSnapshotEncryptionKey in your request, followed by rawKey or rsaEncryptedKey. Make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key. For example, to a new standalone persistent disk using an encrypted snapshot:

POST https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks

{
"name": "disk-from-encrypted-snapshot",
"sourceSnapshot": "global/snapshots/encrypted-snapshot",
"sourceSnapshotEncryptionKey": {
  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  }
}

Create a disk from an encrypted image

Console

  1. Go to the Disks page.

    Go to the Disks page

  2. Click New disk.
  3. Under Source type, select Image.
  4. Provide the encryption key for the image in the text box and select Wrapped key if the key has been wrapped with the public RSA key.

gcloud

In the gcloud compute tool, provide the encryption key for the image using the --csek-key-file flag when you create the disk. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud (beta) compute disks create ... --image example-image --csek-key-file example-file.json

API

To use an encrypted image, provide the sourceImageMasterKey, followed by either rawKey or rsaEncryptedKey. Make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.

POST https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks

{
"name": "disk-from-encrypted-image",
"sourceImageMasterKey": {
  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
  },
"sourceImage": "global/images/encrypted-image"
}

Attaching an encrypted disk to a new instance

Console

  1. Go to the VM instances page.

    Go to the VM Instances page

  2. Click New instance.
  3. Under Boot, click Change.
  4. Select Existing disk.
  5. Choose an existing disk to attach to the instance.
  6. Provide the encryption key in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
  7. Continue with the instance creation process.

gcloud

To create an instance and attach an encrypted disk, create a key file and provide the key using the --csek-key-file flag when you create the instance. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud (beta) compute instances create example-instance \
  --disk name=example-disk,boot=yes \
  --csek-key-file example-file.json

API

Create an instance using the Compute Engine API and provide either the rawKey or rsaEncryptedKey with the disk specification. Make a request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.

Here is a snippet of an example disk specification:

"disks": [
{
  "deviceName": "encrypted-disk",
  "source": "projects/myproject/zones/us-central1-f/disks/encrypted-disk",
  "diskEncryptionKey": {
    "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
  }
 }
]

Starting or restarting instances that have encrypted disks

Because Google does not store your encryption keys, you must provide those keys whenever restart instances that have persistent disks encrypted with Customer-Supplied Encryption Keys.

If you have a stopped instance with an attached encrypted disk, you can start it through the Google Cloud Platform Console, the gcloud tool, or the API.

Console

  1. Go to the VM instances page.

    Go to the VM Instances page

  2. Click the name of the instance that you want to start. This opens the instance details page.
  3. Click the Start button. A window opens where you can specify encryption keys for the devices that are attached to this instance.
  4. Specify encryption keys for each of the encrypted disks that are attached to this instance.
  5. Click Start to start the instance.

gcloud

Provide the key using the --csek-key-file flag and the name of the disk when you start the instance. If you are using an RSA-wrapped key, use the gcloud beta component:

gcloud compute instances start [INSTANCE_NAME] \
  --csek-key-file [ENCRYPTION_KEY]

where:

  • [INSTANCE_NAME] is the name of the instance.
  • [ENCRYPTION_KEY] is the encryption key that you use to encrypt persistent disks that are attached to the instance.

API

In the API, construct a POST request to start the instance using an encryption key. If you are using an RSA-wrapped key, make the request to the Beta API instead of the v1 API.

POST https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]/startWithEncryptionKey
{
  "instanceEncryptionKey": {
    "rsaEncryptedKey": "[ENCRYPTION_KEY]"
  },
  "disk": [
    {
       "source": "[DISK_NAME]",
       "diskEncryptionKey": {
         "rsaEncryptedKey": "[ENCRYPTION_KEY]"
       }
    }
  ]
}

where:

  • [INSTANCE_NAME] is the name of the instance.
  • [PROJECT_ID] is your project ID.
  • [ZONE] is the zone for this instance.
  • [MACHINE_TYPE] is the machine type of the instance.
  • [DISK_NAME] is the attached disk that is encrypted with a customer-supplied encryption key.
  • [ENCRYPTION_KEY] is the encryption key that you use to encrypt persistent disks that are attached to the instance.

Using the command line to create mixed resources

If you want to create a mix of customer-encrypted and standard-encrypted resources in a single request with the gcloud command-line tool, you can use the --csek-key-file flag with a key file and the --no-require-csek-key-create flag in your request. By providing both flags, gcloud tool creates any customer-encrypted resources that are explicitly define in your key file and also creates any standard resources you specify.

For example, assume a key file contains the following:

[
  {
  "uri": "https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk",
  "key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==",
  "key-type": "rsa-encrypted"
  }
]

If you wanted to create an instance with a customer-encrypted disk using the key file and simultaneously create an instance with a standard-encrypted disk in the same request, you can do so as follows:

gcloud beta compute instances create example-disk example-disk-2 \
    --csek-key-file mykeyfile.json --no-require-csek-key-create

Normally, it would not be possible to create example-disk-2 if you just specified the --csek-key-file flag because the disk is not explicitly defined in the key file. By adding the --no-require-csek-key-create, both disks will be created, one encrypted using the key file, and the other encrypted using Google encryption.

Remove your customer-supplied encryption key from a persistent disk

You can decrypt the contents of a customer-encrypted disk and create a new disk that uses Compute Engine default encryption instead.

  1. Create an image of the encrypted disk and specify automatic encryption for the new image.
  2. Use the new image to create a new persistent disk.

After you create the new persistent disk, it uses Compute Engine default encryption to protect the disk contents. Any snapshots that you create from that disk must also use default encryption.

Send feedback about...

Compute Engine Documentation