Customer-managed encryption keys (CMEK)

This topic provides an overview of customer-managed encryption keys (CMEK). CMEK gives you control over the keys that protect your data at rest in Google Cloud.

Default encryption

All data stored within Google Cloud is encrypted at rest using the same hardened key management systems that Google uses for our own encrypted data. These key management systems provide strict key access controls and auditing, and encrypt user data at rest using AES-256 encryption standards. No setup, configuration, or management is required. Default encryption is the best choice if your organization doesn't have specific requirements related to compliance or locality of cryptographic material.

For more information about default encryption in Google Cloud, see Default encryption at rest.

Customer-managed encryption keys (CMEK)

Customer-managed encryption keys are encryption keys that you manage using Cloud KMS. This functionality lets you have greater control over the keys used to encrypt data at rest within supported Google Cloud services. To learn whether a service supports CMEK keys, see the list of supported services. When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Using CMEK doesn't necessarily provide more security than the default encryption mechanisms. In addition, using CMEK incurs additional costs related to Cloud KMS. Using CMEK gives you control over more aspects of the lifecycle and management of your keys, including the following abilities:

  • You can prevent Google from being able to decrypt data at rest by disabling the keys used to protect that data.
  • You can protect your data using a key that meets specific locality or residency requirements.
  • You can automatically or manually rotate the keys used to protect your data.
  • You can protect your data using different types of keys:
    • Generated software keys
    • Cloud HSM (hardware-backed) keys
    • Cloud External Key Manager (externally managed) keys
    • Existing keys that you import into Cloud KMS.
  • You can use unlimited key versions for each key. Most services don't support unlimited key versions when using default encryption.

CMEK integrations

When a service supports CMEK, it's said to have a CMEK integration. Some services, such as GKE, have multiple CMEK integrations for protecting different types of data related to the service.

For the exact steps to enable CMEK, see the documentation for the relevant Google Cloud service. You can expect to follow steps similar to the following:

  1. You create a Cloud KMS key ring or choose an existing key ring. When creating your key ring, choose a location that is geographically near to the resources you're protecting. The key ring can be in the same project as the resources you're protecting or different projects. Using different projects gives you greater control over Identity and Access Management (IAM) permissions.

  2. You create or import a Cloud KMS key in the chosen key ring. This key is the CMEK key.

  3. You grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key to the service account for the service.

  4. You configure the service to use the CMEK key to protect its data. For example, you can configure a GKE cluster to use CMEK to protect data at rest on the boot disks of the nodes.

As long as the service account has the CyptoKey Encrypter/Decrypter role, the service can encrypt and decrypt its data. If you revoke this role, or if you disable or destroy the CMEK key, that data can't be accessed.

CMEK compliance

Some services do not directly store data, or store data for only a short time, as an intermediate step in a long-running operation. For this type of workload, it's not practical to encrypt each write separately. These services don't offer CMEK integrations, but can offer CMEK compliance, often with no configuration on your part.

A CMEK-compliant service encrypts temporary data by using an ephemeral key that only exists in memory and is never written to disk. When the temporary data is no longer needed, the ephemeral key is flushed from memory. Without the ephemeral key, the encrypted data can't be accessed, even if the storage resource still exists.

A CMEK-compliant service might offer the ability to send its output to a service with a CMEK integration, such as Cloud Storage.

CMEK organization policies

Google Cloud offers two organization policy constraints to help ensure CMEK usage across an organization resource. These constraints provide controls to Organization Administrators to require CMEK usage and to limit which Cloud KMS keys are used for CMEK protection. To learn more, see CMEK organization policies.

What's next