Security best practices

This page describes best practices for securing your Google Distributed Cloud Edge installation.

Physical hardware security

You are responsible for the physical security of the Distributed Cloud Edge hardware, such as limiting access to authorized personnel.

The Distributed Cloud Edge Rack form factor has the following security features:

  • Access to the hardware installed on the rack is possible only through the front and back rack doors.
  • The rack cannot be easily disassembled. There are no externally accessible structural fasteners such as screws, nuts, latches, or rivets.
  • The rack doors are equipped with key locks. Google supplies you with a copy of the key and retains a copy for safe keeping.
  • For multi-rack installations, all rack locks are keyed identically.
  • The rack doors have perforated tamper-proof metal mesh for ventilation.
  • During installation, the rack is securely bolted to the installation site floor by using its shipping braces and brackets.

The Distributed Cloud Edge Server form factor has the following security features:

  • An intrusion sensor. If an unauthorized party physically opens the machine, you and Google are immediately notified of the physical intrusion.

If you have further questions about the security of the physical rack, contact your Google Cloud sales representative.

Platform security

The Distributed Cloud Edge hardware platform has the following security features:

  • Trusted Platform Module (TPM). The TPM is the root of trust that generates and stores encryption keys for all data stored on as well as received and transmitted by Distributed Cloud Edge.

  • Platform certificate. The platform certificate is a cryptographically secure record of manufacturing and TPM identity. The certificate acts as proof of supply chain integrity for Distributed Cloud Edge hardware.

  • Port lockdown. All external and internal ports other than Ethernet ports, such as USB and RS-232 console ports are disabled at the firmware level and only enabled for servicing.

Local storage security

Distributed Cloud Edge hardware ships with the following types of internal storage depending on the form factor:

  • Distributed Cloud Edge Racks ship with Solid State Disk (SSD) drives.
  • Distributed Cloud Edge Servers ship with Self-Encrypting Disk (SED) drives.

Distributed Cloud Edge uses Linux Unified Key Setup (LUKS) to encrypt the logical volumes on each Distributed Cloud Edge node. You have the option to use customer-managed encryption keys (CMEK) or Google-managed keys to wrap the LUKS disk encryption key (DEK). When you assign a node to a node pool, the node generates a LUKS DEK and wraps it in either a Google-managed LUKS passphrase, also known as the key encryption key (KEK), or one provided by you through Cloud KMS. You can choose whether to use Cloud KMS when creating a node pool. Distributed Cloud Edge integrates with Cloud KMS by using the envelope encryption model.

Distributed Cloud Edge automatically rotates the LUKS and SED passphrases on a regular schedule.

Additionally, each Distributed Cloud Edge machine does the following on every cold start:

  • If you are not using Cloud KMS, the machine generates a new KEK (LUKS passphrase) and sets up encrypted storage from the beginning.

  • If you are using Cloud KMS, the machine fetches the KEK from Cloud KMS and unlocks the existing logical volumes that hold your data.

Enable support for customer-managed encryption keys (CMEK) for local storage

To enable Cloud KMS integration with Distributed Cloud Edge, complete the following steps:

  1. Create a keyring, a symmetric key, and one or more key versions to use with Distributed Cloud Edge. You must create these artifacts in the same Google Cloud region as your Distributed Cloud Edge installation. For instructions, see Create a key.

  2. Grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Distributed Cloud Edge Service Account in your Google Cloud project. You must do this for each key version that you want to use with Distributed Cloud Edge. If you revoke this role after you integrate your Distributed Cloud Edge installation with Cloud KMS, you lose access to data stored on the Distributed Cloud Edge machines.

  3. Create a node pool by using the --local-disk-kms-key flag, and provide the full path to the key version that you want to use with that node pool.

  4. Create a cluster by using the --control-plane-kms-key flag, and provide the full path to the key version that you want to use with the node running the cluster's control plane.

  5. Optionally, use the --offline-reboot-ttl flag when creating your cluster to specify a time window during which nodes that have been rebooted can rejoin the cluster while the cluster is running in survivability node. If you do not specify this window, rebooted nodes cannot rejoin the cluster until it exits survivability mode.

    CAUTION: If you specify a reboot timeout window, nodes that have gone offline can reboot and rejoin the cluster even if you disable or delete the storage key for the specified time.

For more information, see Customer-managed encryption keys (CMEK) in the Cloud KMS documentation.

Data recovery and backups

You are responsible for maintaining functioning redundant backups of all the data that you choose to store on Distributed Cloud Edge hardware and exporting that data when you choose to return Distributed Cloud Edge hardware to Google.

Any data still present on the Distributed Cloud Edge hardware when it is returned to Google is wiped. If a failure of Distributed Cloud Edge hardware occurs and Google performs on-site repairs, all storage media is removed from the Distributed Cloud Edge machine being serviced and is either placed into your custody for the duration of the repair or securely wiped and then sent for destruction. Google securely santizes and destroys all storage devices removed from Distributed Cloud Edge hardware that has been returned to Google as a result of a repair or decommissioning.

Network security

Network traffic between Distributed Cloud Edge hardware and Google Cloud is encrypted using either MASQUE tunnels or TLS that use per-machine certificates. Distributed Cloud Edge automatically rotates these certificates on a regular schedule.

Your business requirements and your organization's network security policy dictate the steps necessary to secure network traffic that flows in and out of your Distributed Cloud Edge installation. In addition, we recommend the following:

  • Allow only inbound connections to virtual IP address pools exposed by the Distributed Cloud Edge built-in load balancer and to Distributed Cloud Edge subnetworks.

  • Disallow inbound connections from external network resources to subnetworks that serve the system management and service management layers.

  • Disallow inbound connections from external network resources to IP addresses of local control plane endpoints. For more information, see Survivability mode.

For more information about how to prepare your local network for connecting Distributed Cloud Edge hardware, see Networking.

What's next