Using customer-managed encryption keys

Container Registry stores container images in Cloud Storage. Cloud Storage always encrypts your data on the server side.

If you have compliance or regulatory requirements, you can encrypt your container images using customer-managed encryption keys (CMEK). CMEK keys are managed in Cloud Key Management Service. When you use CMEK, you can temporarily or permanently disable access to an encrypted container image by disabling or destroying the key.

Organization policy constraints

Organization policy constraints can affect usage of Container Registry when they apply to services that Container Registry uses.

Constraints for storage buckets

  • When the Cloud Storage API is in the Deny policy list for the constraint constraints/gcp.restrictNonCmekServices, you cannot push images to Container Registry. Container Registry does not use CMEK to create storage buckets when the first image is pushed to a host, and you cannot create the storage buckets manually.

    If you need to enforce this organization policy constraint, consider hosting your images in Artifact Registry instead. You can manually create repositories in Artifact Registry that support requests to the gcr.io domain so that you can continue to use your existing container image workflows. For details, see Transition to repositories with gcr.io domain support.

  • When constraints/gcp.restrictCmekCryptoKeyProjects is configured, storage buckets must be encrypted with a CryptoKey from an allowed project, folder, or organization. New buckets will use the configured key, but existing buckets that are not compliant must be configured to use the required key by default.

For more information about how constraints apply to Cloud Storage buckets, see the Cloud Storage documentation about constraints.

Constraints for Pub/Sub topics

When you activate the Container Registry API in a Google Cloud project, Container Registry tries to automatically create a Pub/Sub topic with the topic ID gcr using Google-managed encryption keys.

When the Pub/Sub API is in the Deny policy list for the constraint constraints/gcp.restrictNonCmekServices, topics must be encrypted with CMEK. Requests to create a topic without CMEK encryption will fail.

To create the gcr topic with CMEK encryption, see the Pub/Sub instructions for encrypting topics.

Configuring buckets to use CMEK

Container Registry is not directly integrated with Cloud KMS. Instead, it is CMEK-compliant when you store your container images in storage buckets configured to use CMEK.

  1. If you have not done so, push an image to Container Registry. The storage bucket does not use a CMEK key yet.

  2. In Cloud Storage, configure the storage bucket to use the CMEK key.

The bucket name for a registry host has one of the following formats:

  • artifacts.PROJECT-ID.appspot.com for images stored on the host gcr.io
  • STORAGE-REGION.artifacts.PROJECT-ID.appspot.com for images stored on asia.gcr.io, eu.gcr.io, or us.gcr.io.

What's next?