Encrypt data with customer-managed encryption keys

This document shows how to use customer-managed encryption keys (CMEK) to encrypt and control data-at-rest in a cloud service through Cloud Key Management Service. CMEK is integrated with code customization for Gemini Code Assist.

If you don't use a CMEK, Google automatically manages the keys that encrypt the data by default. This behavior is known as Google default encryption. With this default behavior, you don't have control over the encryption keys.

In this document, you do the following:

• Learn how to create a CMEK.
• Grant permissions to the Gemini Code Assist service account.
• Create a code repository index with a CMEK.
• Remove access to a CMEK repository.

Before you begin

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

2. In your shell environment, run the gcloud components update command to ensure that you have updated all installed components of the gcloud CLI to the latest version. For this step, you can install and initialize the gcloud CLI, or you can use Cloud Shell.

   gcloud components update
   

Create a CMEK and grant permissions

To create a CMEK and grant the Gemini Code Assist service account permissions on the key, perform the following tasks:

1. In the Google Cloud project where you want to manage your keys, do the following:

   1. Enable the Cloud Key Management Service API.

   2. Create a key ring and a key using one of the following options:

      • Create the key ring and key directly in Cloud KMS.
      • Use an externally managed key. Create the external key, and then create a Cloud EKM key to make the key available through Cloud KMS.

2. Grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Gemini Code Assist service account. Grant this permission on the key that you created.

   Console

   1. Go to Key management.

      Go to Key management

   2. Select the key that you created.

   3. Grant access to the Gemini Code Assist service account:

      1. Click Add principal.
      2. Add the Gemini Code Assist service account. The service account is service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com, where PROJECT_NUMBER is the project number of the Google Cloud project where Gemini Code Assist is enabled.
      3. In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
      4. Click Save.

   4. Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.

   5. Return to the Key management page and select the key again.

   6. Select Show info panel. You should see roles in the Role/Member column.

   gcloud

   1. To grant access to the Gemini Code Assist service account, in a shell environment, use the kms keys add-iam-policy-bindingcommand:

      gcloud kms keys add-iam-policy-binding KEY_NAME \
          --project=PROJECT_ID \
          --location=LOCATION \
          --keyring=KEYRING_NAME \
          --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com" \
          --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
      

      Replace the following:

      • KEY_NAME: the key name.
      • PROJECT_ID: the ID of the project that contains the key.
      • LOCATION: the key location.
      • KEYRING_NAME: the key ring name.
      • PROJECT_NUMBER: the project number of the Google Cloud project with Gemini Code Assist enabled.

   2. Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.

   For more information about this command, see the gcloud kms keys add-iam-policy-binding documentation.

You can now create a code repository index with a CMEK using the API, and specify the key to use for encryption.

Create a code repository index with a CMEK

In gcloud CLI, create a new repository in the service that has protection from a CMEK:

gcloud gemini code-repository-indexes create CODE_REPOSITORY_INDEX_NAME \
    --location=LOCATION \
    --kms-key="projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME"

Replace the following:

• CODE_REPOSITORY_INDEX_NAME: the name of the new code repository index name that you'll create.
• LOCATION: the key location.
• KEY_PROJECT_ID: the key project ID.
• KEYRING_NAME: the key ring name.
• KEY_NAME: the key name.

Remove access to a CMEK repository

There are several ways to remove access to a CMEK-encrypted repository:

• Revoke the Cloud KMS CryptoKey Encrypter/Decrypter role from the Gemini Code Assist service account using the Google Cloud console or the gcloud CLI.
• Temporarily disable the CMEK.
• Permanently destroy the CMEK.

We recommend that you revoke the permissions from the Gemini Code Assist service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.