By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.
If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users who can provide the correct key can use resources protected by a customer-supplied encryption key.
Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.
When you delete a persistent disk, Google discards the cipher keys, rendering the data irretrievable. This process is irreversible.
Before you begin
- If you want to use the command-line examples in this guide:
- Install or update to the latest version of the gcloud command-line tool.
- Set a default region and zone.
- If you want to use the API examples in this guide, set up API access.
- Read about disks, images, and persistent disk snapshots.
Specifications
Encryption
Compute Engine uses your encryption key to protect Google's encryption keys with AES-256 encryption.
Restrictions
There are some limitations and restrictions to using this feature:
General restrictions
Customer-supplied encryption keys are not available in the following countries:
- Brazil
- India
Technical restrictions
You can only encrypt new persistent disks with your own key. You cannot encrypt existing persistent disks with your own key.
You cannot use your own keys with local SSDs because local SSDs do not persist beyond the life of a virtual machine. Local SSDs are already protected with an ephemeral encryption key that Google does not retain.
Compute Engine does not store encryption keys with instance templates, so you need to store your own keys in KMS to encrypt disks in a managed instance group.
Required key format
It is up to you to generate and manage your key. You must provide a key that is a 256-bit string encoded in RFC 4648 standard base64 to Compute Engine.
The following is an example of a base64 encoded key, generated with the string "Hello from Google Cloud Platform"
SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
It can be generated using the following script:
read -sp "String:" ; [[ ${#REPLY} == 32 ]] && echo "$(echo -n "$REPLY" | base64)" || (>&2 echo -e "\nERROR:Wrong Size"; false)
RSA key wrapping
In addition to encoding your key in base64, you can optionally wrap your key using an RSA public key certificate provided by Google, encode the key in base64, and then use that key in your requests.
RSA wrapping is a process in which you use a public key to encrypt your data. After that data has been encrypted with the public key, it can only be decrypted by the respective private key. In this case, the private key is known only to Google Cloud services. By wrapping your key using the RSA certificate, you ensure that only Google Cloud services can unwrap your key and use it to protect your data.
For more information, see RSA encryption.
To create an RSA-wrapped key for Compute Engine you need to:
- Wrap your key using the public key provided in a certificate that Compute Engine manages. Make sure to wrap your key using OAEP padding, not PKCS #1 v1.5 padding.
- Encode your RSA-wrapped key using standard base64 encoding.
Download the public certificate maintained by Compute Engine from:
https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem
There are many ways of generate and RSA-wrap your key; use a method that is familiar to you. The following are two examples of RSA-wrapping your key that you could use.
Example 1
The following instructions use the openssl command-line utility to RSA-wrap and encode a key.
(Optional) Generate a 256-bit (32-byte) random key. If you already have a key you want to use, you can skip this step. There are many ways you can generate a key; the following is just an example of one way you could do so:
$ head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' = > mykey.txt
Download the public key certificate:
$ curl -s -O -L https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem
Extract the public key from the certificate:
$ openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem
RSA-wrap your key, making sure to replace
mykey.txt
with your own key file.$ openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.txt -out rsawrappedkey.txt
Encode your RSA-wrapped key in base64.
$ openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrapencodedkey.txt
Example 2
The following is sample Python script that generates a 256-bit (32-byte) random string and creates a base64 encoded RSA-wrapped key using the cryptography library:
Your key is now ready to use!
Use a RSA-wrapped key
Using the gcloud
command-line tool, you can provide a regular key and a
RSA-wrapped key in the same way.
In the API, use the
sha256
property instead of rawKey
if you want to use a
RSA-wrapped key instead.
Encrypting resources with the command-line tool
Setup
Encryption keys can be used through the gcloud
command-line tool.
Key file
When you use the gcloud compute
command-line tool to set your keys,
you provide encoded keys using a key file that contains your encoded keys as
a JSON list. A key file can contain multiple keys, allowing you to manage many
keys in a single place. Alternatively, you can create single key files to
handle each key separately. A key file is only usable with the gcloud
tool.
When using the API, you must supply the key directly in your request.
Each entry in your key file must provide:
- The fully-qualified URI to the resource the key protects
- The corresponding key
- The type of key, either
raw
orrsa-encrypted
When you use the key file in your requests, the tool looks for matching resources and uses the respective keys. If no matching resources are found, the request fails.
An example key file looks like this:
[
{
"uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/example-disk",
"key": "acXTX3rxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY+c=",
"key-type": "raw"
},
{
"uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/my-private-snapshot",
"key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==",
"key-type": "rsa-encrypted"
}
]
Best practices for managing your key file
If you use a key file, restrict access to your file to only those who need it. Make sure to set appropriate permissions on these files and consider encrypting these files using additional tools:
- On Windows, consider using BitLocker or Encrypting File System (EFS).
- On macOS, consider using FileVault 2.
- On Linux, consider Linux Unified Key Setup (LUKS) or eCryptfs.
Encrypt a new persistent disk with your own keys
You can encrypt a new persistent disk by supplying a key during instance or disk creation.
Console
- In the Google Cloud Console, go to the Disks page.
- Click Create disk and enter the properties for the new disk.
- Under Encryption, select Customer-supplied key.
- Provide the encryption key for the disk in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
gcloud
In the gcloud compute
tool, encrypt a disk using the --csek-key-file
flag during instance creation. If you are using an RSA-wrapped key, use the
gcloud beta
component:
gcloud (beta) compute instances create example-instance --csek-key-file example-file.json
To encrypt a standalone persistent disk:
gcloud (beta) compute disks create example-disk --csek-key-file example-file.json
API
In the API, encrypt a disk using the diskEncryptionKey
property and make
a request to the v1 API for a raw (non-RSA wrapped) key, or to the
Beta API for a RSA-wrapped key. Provide one of the following properties
in your request:
rawKey
- If your key is just base64 encodedrsaEncryptedKey
- If your key is RSA-wrapped and base64 encoded
For example, to encrypt a new disk during instance creation with an RSA-wrapped key:
POST
https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/instances
{
"machineType": "zones/us-central1-a/machineTypes/e2-standard-2",
"disks": [
{
"type": "PERSISTENT",
"diskEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"initializeParams": {
"sourceImage": "projects/debian-cloud/global/images/debian-9-stretch-v20170619"
},
"boot": true
}
],
...
}
Similarly, you can also use the API to create a new stand-alone persistent disk and encrypt it with your own key:
POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/
us-central1-a/disks?sourceImage=https%3A%2F%2Fwww.googleapis.com%2Fcompute%2F
alpha%2Fprojects%2Fdebian-cloud%2Fglobal%2Fimages%2Fdebian-9-stretch-v20170619
{
"name": "new-encrypted-disk-key",
"diskEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"type": "zones/us-central1-a/diskTypes/pd-standard"
}
Create a snapshot from an encrypted disk
If you create a snapshot from an encrypted disk, the snapshot must also be encrypted. You must specify a key to encrypt the snapshot. You cannot convert encrypted disks or encrypted snapshots to use Compute Engine default encryption unless you create a completely new disk image and a new persistent disk.
Snapshots of encrypted disks are always full snapshots, which cost more to store than incremental snapshots.
To create a persistent disk snapshot from an encrypted disk, your snapshot creation request must provide the encryption key that you used to encrypt the persistent disk.
Review the Best practices for persistent disk snapshots before creating your snapshot.
Console
- In the Google Cloud Console, go to the Snapshots page.
- Click Create snapshot.
- Under Source disk, choose the encrypted disk you want to create a snapshot of.
- Provide the encryption key for the disk in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
- Encrypt the new snapshot by supplying an additional encryption key under the Encryption section.
API
In the API, provide the sourceDiskEncryptionKey
property to access
the source persistent disk. You can also optionally encrypt the new
snapshot using the snapshotEncryptionKey
property.
Make request to the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.
POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk/createSnapshot
{
"snapshotEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"sourceDiskEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"name": "snapshot-encrypted-disk"
}
The sourceDiskEncryptionKey
property must match the key used to encrypt
the persistent disk. Otherwise, the request will fail.
The optional snapshotEncryptionKey
allows you to supply a key to encrypt
the snapshot so that if the snapshot is used to create new persistent
disks, a matching key must be provided. This key must follow the same key
format described above. You can also choose to leave this property
undefined and the snapshot can be used to create new persistent disks
without requiring a key.
Create a new image from an encrypted disk or encrypted custom image
You can create custom images from encrypted persistent disks or copy encrypted
images. You cannot use the console to copy images. Use the
gcloud
command-line tool or the API to copy images.
Console
- In the Google Cloud Console, go to the Images page.
- Click Create image.
- Under Source disk, choose the encrypted disk you want to create an image of.
- Under Encryption, select an encryption key management solution.
- If the key has been wrapped with the public RSA key, select Wrapped key.
gcloud
Follow the instructions to
create an image,
and add the --csek-key-file
flag with a path to the encryption key file
for the encrypted source object. Use the gcloud beta
component if you
are using an RSA-wrapped key:
gcloud (beta) compute images create .... --csek-key-file example-file.json
If you want to encrypt the new image with your key as well, add the key to the key file, e.g.:
[
{
"uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/source-disk",
"key": "acX3RqzxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY-c=",
"key-type": "raw"
},
{
"uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/the-new-image",
"key": "TF0t-cSfl7CT7xRF1LTbAgi7U6XXUNC4zU_dNgx0nQc=",
"key-type": "raw"
}
]
API
Your API creation request must contain the encryption key property for your source object. For example, include one of the following properties depending on the source object type:
- Persistent disk:
sourceDiskEncryptionKey
- Image:
sourceImageEncryptionKey
Also include the rawKey
or rsaEncryptedKey
properties depending on
key type. Make a request to the v1 API for a raw (non-RSA wrapped) key,
or to the Beta API for a RSA-wrapped key. The following example converts
an encrypted and RSA-wrapped persistent disk to an image that uses the
same encryption key.
POST https://compute.googleapis.com/compute/beta/projects/myproject/global/images
{
"name": "image-encrypted-disk",
"sourceDiskEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
}
"imageEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"sourceDisk": "projects/myproject/zones/us-central1-a/disks/source-disks"
}
The optional imageEncryptionKey
property lets you supply a key
to encrypt the image so when the image is used to create new persistent
disks, a matching key must be provided. This key must follow the same key
format described above. You can also choose to leave this property
undefined and the image can be used to create new persistent disks
without requiring a key.
Encrypt an imported image
You can encrypt a new image when you manually import a custom image to Compute Engine. Before you can import an image, you must create and compress a disk image file and upload that compressed file to Cloud Storage.
Import the custom Compute Engine image that you want to encrypt. Specify the URI to the compressed file and also specify a path to your encryption key file.
Console
- In the Google Cloud Console, go to the Images page.
- Click Create image.
- Under Source, choose Cloud Storage file.
- Under Cloud Storage file, enter the Cloud Storage URI.
- Under Encryption, choose Customer-managed key and provide the encryption key to encrypt the image in the text box.
gcloud
Use the compute images create
command to create a new image, and specify
the --csek-key-file
flag with an encryption key file. If you are using an
RSA-wrapped key, use the gcloud beta
component:
gcloud (beta) compute images create [IMAGE_NAME] \
--source-uri gs://[BUCKET_NAME]/[COMPRESSED_FILE] \
--csek-key-file [KEY_FILE]
where:
[IMAGE_NAME]
is a name for the new custom image.[BUCKET_NAME]
is the name of the Cloud Storage bucket that holds your compressed image file.[COMPRESSED_FILE]
is the name of the compressed image file.[KEY_FILE]
is the path to an encryption key file on your local workstation.
API
To encrypt a new image created from a RAW file, add the new
imageEncryptionKey
property to the image creation request, followed
by either rawKey
or rsaEncryptedKey
. Make a request to the v1 API for a
raw (non-RSA wrapped) key, or to the Beta API for a RSA-wrapped key.
POST https://compute.googleapis.com/compute/beta/projects/myproject/global/images
{
"rawDisk": {
"source": "http://storage.googleapis.com/example-image/example-image.tar.gz"
},
"name": "new-encrypted-image",
"sourceType": "RAW",
"imageEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
}
}
Create a persistent disk from an encrypted resource
Create a disk from an encrypted snapshot
Console
- In the Google Cloud Console, go to the Disks page.
- Click Create disk.
- Under Source type, select Snapshot.
- Under Encryption, select an encryption key management solution.
- If the key has been wrapped with the public RSA key, select Wrapped key.
gcloud
In the gcloud compute
tool, provide the encryption key for the snapshot
using the --csek-key-file
flag when you create the disk. If you are using
an RSA-wrapped key, use the gcloud beta
component:
gcloud (beta) compute disks create ... --source-snapshot example-snapshot --csek-key-file example-file.json
API
To use an encrypted snapshot, supply the sourceSnapshotEncryptionKey
in
your request, followed by rawKey
or rsaEncryptedKey
. Make a request to
the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a
RSA-wrapped key. For example, to a new standalone persistent disk using an
encrypted snapshot:
POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks
{
"name": "disk-from-encrypted-snapshot",
"sourceSnapshot": "global/snapshots/encrypted-snapshot",
"sourceSnapshotEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
}
}
Create a disk from an encrypted image
Console
- In the Google Cloud Console, go to the Disks page.
- Click Create disk.
- Under Source type, select Image.
- Under Encryption, select an encryption key management solution.
- If the key has been wrapped with the public RSA key, select Wrapped key.
gcloud
In the gcloud compute
tool, provide the encryption key for the image using
the --csek-key-file
flag when you create the disk. If you are using an
RSA-wrapped key, use the gcloud beta
component:
gcloud (beta) compute disks create ... --image example-image --csek-key-file example-file.json
API
To use an encrypted image, provide the sourceImageEncryptionKey
, followed
by either rawKey
or rsaEncryptedKey
. Make a request to
the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a
RSA-wrapped key.
POST https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks
{
"name": "disk-from-encrypted-image",
"sourceImageEncryptionKey": {
"rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="
},
"sourceImage": "global/images/encrypted-image"
}
Attaching an encrypted disk to a new instance
Console
- In the Google Cloud Console, go to the VM instances page.
- Click Create instance.
- Under Boot, click Change.
- Select Existing disk.
- Choose an existing disk to attach to the instance.
- Provide the encryption key in the text box and select Wrapped key if the key has been wrapped with the public RSA key.
- Continue with the instance creation process.
gcloud
To create an instance and attach an encrypted disk, create a
key file and provide the key using the --csek-key-file
flag
when you create the instance. If you are using an RSA-wrapped key, use the
gcloud beta
component:
gcloud (beta) compute instances create example-instance \
--disk name=example-disk,boot=yes \
--csek-key-file example-file.json
API
Create an instance
using the Compute Engine API and provide either the rawKey
or
rsaEncryptedKey
with the disk specification. Make a request to
the v1 API for a raw (non-RSA wrapped) key, or to the Beta API for a
RSA-wrapped key.
Here is a snippet of an example disk specification:
"disks": [
{
"deviceName": "encrypted-disk",
"source": "projects/myproject/zones/us-central1-f/disks/encrypted-disk",
"diskEncryptionKey": {
"rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
}
}
]
Starting or restarting instances that have encrypted disks
For details on stopping or starting an instance that has encrypted disks, read Restarting an instance with an encrypted disk.
Using the command line to create mixed resources
If you want to create a mix of customer-encrypted and standard-encrypted
resources in a single request with the gcloud
command-line tool, you can use
the --csek-key-file
flag with a key file and the
--no-require-csek-key-create
flag in your request. By providing both flags,
gcloud
tool creates any customer-encrypted resources that are explicitly
define in your key file and also creates any standard resources you specify.
For example, assume a key file contains the following:
[ { "uri": "https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk", "key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==", "key-type": "rsa-encrypted" } ]
If you wanted to create an instance with a customer-encrypted disk using the key file and simultaneously create an instance with a standard-encrypted disk in the same request, you can do so as follows:
gcloud beta compute instances create example-disk example-disk-2 \
--csek-key-file mykeyfile.json --no-require-csek-key-create
Normally, it would not be possible to create example-disk-2
if you just
specified the --csek-key-file
flag because the disk is not explicitly defined
in the key file. By adding the --no-require-csek-key-create
, both disks are
created, one encrypted using the key file, and the other encrypted using
Google encryption.
Remove your customer-supplied encryption key from a persistent disk
You can decrypt the contents of a customer-encrypted disk and create a new disk that uses Compute Engine default encryption instead.
- Create an image of the encrypted disk and specify automatic encryption for the new image.
- Use the new image to create a new persistent disk.
After you create the new persistent disk, it uses Compute Engine default encryption to protect the disk contents. Any snapshots that you create from that disk must also use default encryption.