Security best practices

This page describes best practices for securing your Google Distributed Cloud Edge installation.

Physical hardware security

You are responsible for the physical security of the Distributed Cloud Edge rack, such as limiting access to authorized personnel. The Distributed Cloud Edge rack itself has the following security features:

• Access to the hardware installed on the rack is possible only through the front and back rack doors.
• The rack cannot be easily disassembled. There are no externally accessible structural fasteners such as screws, nuts, latches, or rivets.
• The rack doors are equipped with key locks. Google supplies you with a copy of the key and retains a copy for safe keeping.
• For multi-rack installations, all rack locks are keyed identically.
• The rack doors have perforated tamper-proof metal mesh for ventilation.
• During installation, the rack is securely bolted to the installation site floor by using its shipping braces and brackets.

If you have further questions about the security of the physical rack, contact your Google Cloud sales representative.

Local storage security

Distributed Cloud Edge uses Linux Unified Key Setup (LUKS) to encrypt the logical volumes on each Distributed Cloud Edge node. You have the option to use customer-managed encryption keys (CMEK) or Google-managed keys to wrap the LUKS disk encryption key (DEK). When you assign a node to a node pool, the node generates a LUKS DEK and wraps it in either a Google-managed LUKS passphrase, also known as the key encryption key (KEK), or one provided by you through Cloud KMS. You can choose whether to use Cloud KMS when creating a node pool. Distributed Cloud Edge integrates with Cloud KMS by using the envelope encryption model.

Additionally, each Distributed Cloud Edge machine does the following on every cold start:

• If you are not using Cloud KMS, the machine generates a new KEK (LUKS passphrase) and sets up encrypted storage from the beginning.

• If you are using Cloud KMS, the machine fetches the KEK from Cloud KMS and unlocks the existing logical volumes that hold your data.

Enable support for customer-managed encryption keys (CMEK) for local storage

To enable Cloud KMS integration with Distributed Cloud Edge, complete the following steps:

1. Create a keyring, a symmetric key, and one or more key versions to use with Distributed Cloud Edge. You must create these artifacts in the same Google Cloud region as your Distributed Cloud Edge installation. For instructions, see Create a key.

2. Grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Distributed Cloud Edge Service Account in your Google Cloud project. You must do this for each key version that you want to use with Distributed Cloud Edge. If you revoke this role after you integrate your Distributed Cloud Edge installation with Cloud KMS, you lose access to data stored on the Distributed Cloud Edge machines.

3. Create a node pool by using the --local-disk-kms-key flag, and provide the full path to the key version that you want to use with that node pool.

4. Create a cluster by using the --control-plane-kms-key flag, and provide the full path to the key version that you want to use with the node running the cluster's control plane.

For more information, see Customer-managed encryption keys (CMEK) in the Cloud KMS documentation.

Data recovery and backups

You are responsible for maintaining functioning redundant backups of all the data that you choose to store on Distributed Cloud Edge hardware and exporting that data when you choose to return Distributed Cloud Edge hardware to Google.

Any data still present on the Distributed Cloud Edge hardware when it is returned to Google is wiped. If a failure of Distributed Cloud Edge hardware occurs and Google performs on-site repairs, all storage media is removed from the Distributed Cloud Edge machine being serviced and is placed into your custody for the duration of the repair.

Network security

Your business requirements and your organization's network security policy dictate the steps necessary to secure network traffic that flows in and out of your Distributed Cloud Edge installation. In addition, we recommend the following:

• Allow only inbound connections to virtual IP address pools exposed by the Distributed Cloud Edge built-in load balancer and to Distributed Cloud Edge subnetworks.

• Disallow inbound connections from external network resources to subnetworks that serve the system management and service management layers.

• Disallow inbound connections from external network resources to IP addresses of local control plane endpoints. For more information, see Survivability mode.

For more information about how to prepare your local network for connecting Distributed Cloud Edge hardware, see Networking.

What's next

• Ensure high availability for your Distributed Cloud Edge installation