Use customer-managed encryption keys (CMEK) for continuous migrations

Overview

This page describes how customer-managed encryption keys (CMEK) work with Database Migration Service migration jobs.

Is CMEK right for you?

CMEK is intended for organizations that have sensitive or regulated data that requires them to manage their encryption keys.

Google-managed encryption versus customer-managed encryption

The CMEK feature lets you use your own cryptographic keys for data transported by Database Migration Service. After adding CMEK, whenever an API call is made, Database Migration Service uses your key to access data.

CMEK, including software, hardware, and external keys, are all managed through the Cloud Key Management Service (KMS) API.

Which locations support CMEK-enabled Database Migration Service migration jobs?

CMEK is available in all Database Migration Service locations.

Understand service accounts

When your Database Migration Service migration jobs have CMEK enabled, you need to use a service account to request key access from Cloud Key Management Service.

To use a CMEK on a project, you must have a service account and you must grant the key access to the service account. The service account must exist inside of the project. The service account is visible in all regions.

Understand keys

In Cloud Key Management Service, you need to create a keyring with a cryptographic key, set with a location. When you create a new migration job in Database Migration Service, you select this key to encrypt the migration job.

You need to know the key ID and key region when you create new migration jobs that use CMEK. You must put the destination databases in the same region as the CMEK associated with the migration job. You can create one project for both keys and destination databases, or different projects for each.

CMEK uses the following format:

projects/[CMEK_ENABLED_PROJECT]/locations/[REGION]/keyRings/[RING_NAME]/cryptoKeys/[KEYNAME]

How do you make CMEK-encrypted data inaccessible permanently?

You might have situations where you want to permanently destroy data encrypted with CMEK. To do this, you destroy the CMEK version. You can't destroy the keyring or key, but you can destroy key versions of the key.

Restrictions

The following restrictions apply when using CMEK:

You can't update CMEK on a running migration job.
Although you can use CMEK to encrypt data from the source database, you can't use these keys to encrypt any migration job metadata, such as the migration job ID, IP address of the source database, and so on.

Use CMEK

Now that you understand CMEK, you're ready to set up a service account and keys for CMEK. In addition, you'll learn how to set up a migration job to use CMEK. To learn more about CMEK, see Overview.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Install and initialize the Cloud SDK.
Make sure that you have the Database Migration Admin role assigned to your user account.
Go to the IAM page
Enable the Cloud Key Management Service API.
Enable the API

Enable the Database Migration Service API.
Enable the API

Workflow to create migration jobs in Database Migration Service with CMEK

gcloud and API users only: Make sure that you have a service account for each project that requires CMEK. For more information, see Create a service account.
Create a keyring and key, and set the location for each key. The location is the Google Cloud region.
Grant the key access to the service account.
Copy or write down the key ID (KMS_KEY_ID) and location for the key, and the ID (KMS_KEYRING_ID) for the keyring. You need this information when granting the key access to the service account.
Go to a project, create a migration job in Database Migration Service, and use your CMEK in the Advanced encryption options section.

Your migration job in Database Migration Service is now enabled with CMEK.

Create a service account

You need to create a service account for each project that requires CMEK.

To allow a user to manage service accounts, grant one of the following roles:

Service Account User (roles/iam.serviceAccountUser): Includes permissions to list service accounts, get details about a service account, and impersonate a service account.
Service Account Admin (roles/iam.serviceAccountAdmin): Includes permissions to list service accounts and get details about a service account. Also includes permissions to create, update, and delete service accounts, and to view or change the Database Migration Service for Oracle to PostgreSQL policy on a service account.

Currently, you can use only gcloud commands to create the type of service account you need for CMEK.

To create a service account with gcloud, run the following command:

gcloud beta services identity create \
--service=datamigration.googleapis.com\
--project=PROJECT_ID

The previous command returns a service account name. You use this service account name during the procedure in Grant the key access to the service account.

Create a key

You can create the key in the same Google Cloud project as the migration job in Database Migration Service, or in a separate user project. The Cloud KMS key ring location must match the region of your destination database associated with the migration job. A multi-region or global region key isn't supported. If the regions don't match, then you can't create the migration job.

If you destroy the key version that Database Migration Service uses to encrypt data, the associated migration job changes its status to FAILED. For more information on migration job states, see Migration job statuses.

To create a Cloud KMS key:

Console

In the Google Cloud console, go to the Cryptographic keys page.
Click Create key ring.
Add a Key ring name. Note this name because you need it when granting the key access to the service account.
Add a Key ring location.
Click Create. The Create key page opens.
Add a Key name.
Select a Purpose (symmetric or asymmetric).
Select a Rotation period and Starting on date.
Click Create.
On the Keys table, click the three dots in the last column, and select Copy Resource ID or write it down. This is the KMS_KEY_ID. You need the KMS_KEY_ID when granting the key access to the service account.

gcloud

Create a new key ring.
```
gcloud kms keyrings create KMS_KEYRING_ID \
--location=REGION
  
```
Write down this name because you need it when granting the key access to the service account.
Create a key on the key ring.
```
gcloud kms keys create KMS_KEY_ID \
--location=REGION \
--keyring=KMS_KEYRING_ID \
--purpose=encryption
  
```
Write down this name because you need it when granting the key access to the service account.

Grant the key access to the service account

You only need to perform this procedure if you're using gcloud or the API.

To grant access to the service account, use the following code:

gcloud kms keys add-iam-policy-binding KMS_KEY_ID \
--location=REGION \
--keyring=KMS_KEYRING_ID \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-datamigration.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Create a migration job in Database Migration Service with CMEK

As part of creating a migration job in Database Migration Service, you can use your CMEK to manage the encryption of your data.

Disable and re-enable key versions

See the following topics: