About disk encryption

By default, Compute Engine encrypts customer content at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. This option is referred to as Google-managed encryption.

However, if you have specific requirements related to compliance or the locality of cryptographic material, you can customize the encryption Compute Engine uses for your resources.

You can customize encryption by providing key encryption keys. Key encryption keys don't directly encrypt your data, but encrypt the Google-generated keys Compute Engine uses to encrypt your data.

You have two options to provide key encryption keys:

  • Recommended. Use the Cloud Key Management Service (Cloud KMS) in Compute Engine to create and manage key encryption keys.

    Keys managed by the Cloud Key Management Service are known as customer-managed encryption keys (CMEKs). After creating a key, you can use it as a disk's key encryption key.

    In most cases, after you create a CMEK-encrypted disk, you don't need to specify the key when working with the disk, because Cloud Key Management Service knows which key you used. The exception to this is creating a disk from a CMEK-encrypted instant snapshot.

  • You can manage your own key encryption keys outside of Compute Engine, and provide the key whenever you create or manage a disk. This option is known as customer-supplied encryption keys (CSEKs). When you manage CSEK-encrypted resources, you must always specify the key you used when encrypting the resource.

For more information, see Customer-managed encryption keys and Customer-supplied encryption keys.

Supported disk types

This section lists the supported encryption types for disks and other storage options offered by Compute Engine.

Encrypt disks with customer-managed encryption keys

For more information about how to use customer-managed encryption keys (CMEK) to encrypt disks and other Compute Engine resources, see Protect resources by using Cloud KMS keys.

Encrypt disks with customer-supplied encryption keys

To learn how to use customer-supplied encryption keys (CSEK) to encrypt disks and other Compute Engine resources, see Encrypting disks with customer-supplied encryption keys.

View information about a disk's encryption

Disks in Compute Engine are encrypted with either Google-managed, customer-managed, or customer-supplied encryption keys. Google-managed encryption is the default.

To view a disk's encryption type, you can use the gcloud CLI, Google Cloud console, or the Compute Engine API.

Console

  1. In the Google Cloud console, go to the Disks page.

    Go to Disks

  2. In the Name column, click the name of the disk.

  3. In the Properties table, the row labeled Encryption indicates the type of encryption: Google-managed, customer-managed, or customer-supplied.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud compute disks describe command:

        gcloud compute disks describe DISK_NAME \
      --zone=ZONE \
      --format="json(diskEncryptionKey)"

    Replace the following:

    • PROJECT_ID: your project ID.
    • ZONE: the zone where your disk is located.

    • DISK_NAME: the name of the disk.

      Command output

      If the output is null, the disk uses the Google-managed encryption, which is the default.

      Otherwise, the output is a JSON object.

      If the JSON object contains a field named diskEncryptionKey, the disk is encrypted. The diskEncryptionKey object contains information about whether the disk is CMEK- or CSEK-encrypted:

      • If the diskEncryptionKey.kmsKeyName property is present, the disk is CMEK-encrypted. The kmsKeyName property indicates the name of the specific key used to encrypt the disk: 
        {
  "diskEncryptionKey": {
    "kmsKeyName": "projects/my-proj/.."
  }
}
      • If the diskEncryptionKey.sha256 property is present, the disk is CSEK-encrypted. The sha256 property is the SHA-256 hash of the customer-supplied encryption key that protects the disk. 
          {
    "diskEncryptionKey": {
      "sha256": "abcdefghijk134560459345dssfd"
    }
  }

API

Make a POST request to the compute.disks.get method.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/DISK_NAME

Replace the following:

  • PROJECT_ID: your project ID.
  • ZONE: the zone where your disk is located.
  • DISK_NAME: the name of the disk

Request response

If the response is null, the disk uses Google-managed encryption, which is the default.

Otherwise, the response is a JSON object.

If the JSON object contains a field named diskEncryptionKey, the disk is encrypted. The diskEncryptionKey object contains information about whether the disk is CMEK- or CSEK-encrypted:

  • If the diskEncryptionKey.kmsKeyName property is present, the disk is CMEK-encrypted. The kmsKeyName property indicates the name of the specific key used to encrypt the disk: 
    {
  "diskEncryptionKey": {
    "kmsKeyName": "projects/my-proj/.."
  }
}
  • If the diskEncryptionKey.sha256 property is present, the disk is CSEK-encrypted. The sha256 property is the SHA-256 hash of the customer-supplied encryption key that protects the disk. 
      {
    "diskEncryptionKey": {
      "sha256": "abcdefghijk134560459345dssfd"
    }
  }

If the disk uses CMEK-encryption, you can find detailed information about the key, its key ring and location by following the steps in View keys by project.

If the disk uses CSEK-encryption, contact your organization's administrator for details about the key.

What's next