Encrypt data with customer-managed encryption keys

This page shows you how to encrypt your Filestore data on Filestore instances using your own encryption keys.

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you need more control over the keys that protect your data, you can use customer-managed encryption keys (CMEK) for Filestore.

For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.

Supported tiers

The following table shows the Filestore tiers that support customer-managed encryption keys:

Tier Customer-managed encryption key support
Basic HDD No
Basic SSD No
High Scale SSD Yes (Preview)
Enterprise Yes

Create a key ring and key to use with your instance

The key ring and key can be in a different project from the Filestore instance but they must be in the same location. If you already have a Cloud KMS key ring and key that you want to use with Filestore, skip to the next section. Otherwise, follow the instructions on Creating symmetric encryption keys to create a key ring and key.

Grant key access permission to the Filestore service account

Before you can create a Filestore instance that uses a customer-managed encryption key, the Filestore service account must have the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter).

  1. A Filestore service account is created the first time you create a Filestore instance in the project. If you don't already have a Filestore service account, run the following command:

    gcloud beta services identity create --service=file.googleapis.com --project=INSTANCE_PROJECT_NUMBER_OR_ID
    

    Replace INSTANCE_PROJECT_NUMBER_OR_ID with the project number or ID of the project where you want to create the Filestore instance.

  2. Assign the Filestore service account the Cloud KMS CryptoKey Encrypter/Decrypter role by running:

    gcloud projects add-iam-policy-binding KMS_PROJECT_NUMBER_OR_ID \
        --member serviceAccount:service-INSTANCE_PROJECT_NUMBER@cloud-filer.iam.gserviceaccount.com \
        --role roles/cloudkms.cryptoKeyEncrypterDecrypter
    

    Replace the following:

    • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project that contains the Cloud KMS key that you want to use.
    • INSTANCE_PROJECT_NUMBER with the project number (not the project ID) of the project where you want to create the Filestore instance.

Create an instance that uses your Cloud KMS key

Cloud console

To create an instance that uses your Cloud KMS key for data encryption:

  1. In the Cloud console, go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click Create Instance

  3. Select an instance tier that supports CMEKs and fill out all other required and optional fields as you normally would.

  4. Click Show advanced options.

  5. Select the Use a customer-managed encryption key (CMEK) checkbox.

  6. Select the Cloud KMS key that you want to use for the instance.

  7. Click Create.

gcloud CLI

To create a Filestore instance that uses your Cloud KMS key for data encryption, specify the --kms-key flag in the filestore instances create command:

gcloud filestore instances create nfs-server \
    --tier=<var>TIER</var> \
    --location=us-central1 \
    --file-share=name="vol1",capacity=1TiB \
    --network=name="default" \
    --kms-key=KMS_KEY

Replace the following:

  • TIER with a Filestore tier that supports customer-managed encryption keys.
  • KMS_KEY with the fully qualified name of the Cloud KMS key that you want to use. Alternatively, you can specify each argument separately in the format:
--kms-key=KMS_KEY : --kms-keyring=KEY_RING --kms-location=KMS_REGION --kms-project=KMS_PROJECT_NUMBER_OR_ID

Replace the following:

  • KMS_KEY with the name of the Cloud KMS key.
  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KMS_KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring. The key ring and instance must be located in the same region.

Get a list of keys

You can get a list of keys by running:

gcloud kms keys list \
    --project=KMS_PROJECT_NUMBER_OR_ID \
    --keyring=KEY_RING \
    --location=KMS_REGION

Replace the following:

  • KMS_PROJECT_NUMBER_OR_ID with the project number or ID of the project where the key is created.
  • KEY_RING with the name of the key ring.
  • KMS_REGION with the region of the key ring.

The Name column of the output gives the fully qualified name of existing keys. For example:

projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key

Get instance key information

List instances that use a particular Cloud KMS key

You can list Filestore instances that use a particular key by running:

gcloud filestore instances list --filter="kmsKeyName=KMS_KEY"

Replace KMS_KEY with the fully qualified name of the key that you want to use.

Example:

gcloud filestore instances list \
    --filter="kmsKeyName=projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key"

The output looks like:

INSTANCE_NAME LOCATION    TIER       CAPACITY_GB FILE_SHARE_NAME IP_ADDRESS   STATE CREATE_TIME
nfs-server    us-central1 ENTERPRISE 1024        vol1            10.166.108.2 READY 2021-08-12T11:38:56

Get Cloud KMS key information for an instance

Use one of the following methods to get Cloud KMS key information for a Filestore instance:

Cloud console

  1. Go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click the instance ID to open the instance details page.

  3. Click the Overview tab.

If the instance encrypts data using a Cloud KMS key instead of a Google-managed encryption key, the key name is displayed in the Encryption key field.

gcloud CLI

gcloud filestore instances describe INSTANCE_ID \
   --location=INSTANCE_LOCATION

Replace the following:

  • INSTANCE_ID with the instance ID of the Filestore instance that you want to get information about.
  • INSTANCE_LOCATION with the region or zone where the instance is located.

The output looks like:

createTime: '2021-08-12T11:38:56.851157387Z'
fileShares:
- capacityGb: '1024'
  name: vol1
kmsKeyName: projects/example-project/locations/us-central1/keyRings/example-ring/cryptoKeys/example-key
labels:
  key: val
name: projects/consumer-project/locations/us-central1/instances/nfs-server
networks:
- ipAddresses:
  - 10.0.100.2
  modes:
  - MODE_IPV4
  network: network
  reservedIpRange: 10.166.108.0/23
state: READY
tier: ENTERPRISE

Disable or destroy a Cloud KMS key that's used by an instance

If you disable or destroy a key or key version, the behavior of an affected Filestore instance depends on its tier:

  • An Enterprise Tier instance continues to serve data, but can fail at any moment due to key un availability. To ensure that access to the data is blocked after a key is disabled or destroyed, reach out to Google Support and make a request to stop affected Enterprise instances.

  • A High Scale SSD Tier instance Preview detects the change in key state and automatically stops serving data. This detection typically happens within a few minutes of the change in key state, but in some cases can take up to 3 hours.

Once an instance is stopped, all access to file share data and any snapshots is blocked. Stopped instances continue to be billed until they're deleted.

Starting a stopped instance

If a stopped Filestore instance uses a Cloud KMS key for data encryption, all key versions of the key must be enabled or restored before restarting the instance.

Once the Cloud KMS key status is enabled, the instance can restart:

  • Enterprise Tier instances require you to reach out to Google Support and make a request to restart the instance.

  • High Scale SSD Tier instances Preview automatically detect key changes and restart without any additional action, typically within 20 minutes.

What's next