Encrypt data with customer-managed encryption keys

This page shows you how to encrypt your Filestore data on Enterprise tier instances using your own encryption keys.

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you need more control over the keys that protect your data, you can use customer-managed encryption keys (CMEK) for Filestore.

For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.

Create a key ring and key to use with your instance

If you already have a Cloud KMS key ring and key that you want to use with Filestore, skip to the next section. Otherwise, follow the instructions on Creating symmetric encryption keys to create a key ring and key.

Grant key access permission to the Filestore service account

Before you can create a Filestore instance that uses a customer-managed encryption key, the Filestore service agent must have the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter). If your project does not have a Filestore instance, the Filestore service account is created when a Filestore quota increase request is granted.

Assign the Filestore service account the Cloud KMS CryptoKey Encrypter/Decrypter role by running:

gcloud projects add-iam-policy-binding KMS_PROJECT_NUMBER_OR_ID \
    --member serviceAccount:service-INSTANCE_PROJECT_NUMBER@cloud-filer.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter

Replace the following:

  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project that contains the Cloud KMS key that you want to use.
  • INSTANCE_PROJECT_NUMBER with the project number (not the project ID) of the project where you want to create the Filestore instance.

Create an instance that uses your Cloud KMS key

To create a Filestore instance that uses your Cloud KMS key for data encryption, specify the --kms-key flag in the filestore instances create command:

gcloud beta filestore instances create nfs-server \
    --tier=ENTERPRISE \
    --location=us-central1 \
    --file-share=name="vol1",capacity=1TiB \
    --network=name="default" \
    --kms-key=KMS_KEY

Replace KMS_KEY with the fully qualified name of the Cloud KMS key that you want to use. Alternatively, you can specify each argument separately in the format:

--kms-key=KMS_KEY : --kms-keyring=KEY_RING --kms-location=KMS_REGION --kms-project=KMS_PROJECT_NUMBER_OR_ID

Replace the following:

  • KMS_KEY with the name of the Cloud KMS key.
  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KMS_KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring.

Get a list of keys

You can get a list of keys by running:

gcloud kms keys list \
    --project=KMS_PROJECT_NUMBER_OR_ID \
    --keyring=KEY_RING \
    --location=KMS_REGION

Replace the following:

  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring.

The Name column of the output gives the fully qualified name of existing keys. For example:

projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key

Get instance information

List instances that use a particular Cloud KMS key

You can list Filestore instances that use a particular key by running:

gcloud beta filestore instances list --filter="kmsKeyName=KMS_KEY"

Replace KMS_KEY with the fully qualified name of the key that you want to use.

Example:

gcloud beta filestore instances list \
    --filter="kmsKeyName=projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key"

The output looks like:

INSTANCE_NAME LOCATION    TIER       CAPACITY_GB FILE_SHARE_NAME IP_ADDRESS   STATE CREATE_TIME
nfs-server    us-central1 ENTERPRISE 1024        vol1            10.166.108.2 READY 2021-08-12T11:38:56

Get Cloud KMS key information for an instance

To get Cloud KMS key information for a Filestore instance, run:

gcloud beta filestore instances describe INSTANCE_ID \
   --location=INSTANCE_LOCATION

Replace the following:

  • INSTANCE_ID with the instance ID of the Filestore instance that you want to get information about.
  • INSTANCE_LOCATION with the region or zone where the instance is located.

The output looks like:

createTime: '2021-08-12T11:38:56.851157387Z'
fileShares:
- capacityGb: '1024'
  name: vol1
kmsKeyName: projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key
labels:
  key: val
name: projects/consumer-project/locations/us-central1/instances/nfs-server
networks:
- ipAddresses:
  - 10.0.100.2
  modes:
  - MODE_IPV4
  network: network
  reservedIpRange: 10.166.108.0/23
state: READY
tier: ENTERPRISE

Disable or destroy a Cloud KMS key that's used by an instance

Filestore does not monitor the status of your Cloud KMS keys. If a key or a key version is disabled or destroyed, the Filestore instance continues to serve data but can fail at any moment due to key unavailability.

To ensure that access to the data is blocked after a key is disabled or destroyed, reach out to Google Support and make a request to stop the instance.

Once an instance is stopped, all access to file share data and any snapshots is blocked. Stopped instances continue to be billed until they're deleted.

Starting a stopped instance

Before you can start a stopped Filestore instance that uses a Cloud KMS key for data encryption, you must first enable or restore all key versions. If an instance is stopped for more than four weeks, starting it again is done on a best effort basis and might not be possible.

What's next