By default, Backup for GKE encrypts customer content at rest. Backup for GKE handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Backup for GKE. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Backup for GKE resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Overview
There are two types of user data artifacts that are produced and stored by Backup for GKE:
- Config backup: a set of Kubernetes resource descriptions extracted from the API server of the cluster undergoing backup, capturing the cluster state.
- Volume backups: a set of volume backups that correspond to
PersistentVolumeClaim
resources found in the config backup.
By default, all backup artifacts produced by Backup for GKE are encrypted at rest using a Google-supplied key.
However, you may choose to have these artifacts encrypted using a customer-managed encryption key (CMEK) managed with the Cloud Key Management Service.
Enable CMEK encryption
Enabling CMEK encryption involves two steps:
Designate a key for encrypting backups produced for a
BackupPlan
.Grant access by the appropriate service accounts to the appropriate keys.
For any particular backup scenario, there are potentially three CMEK keys involved:
bplan_key
: This is the key that you reference when creating or updating theBackupPlan
. When possible, this key that will be used when encrypting all backup artifacts. This key must live in the same region as theBackupPlan
itself (see About resource locations).orig_disk_key
: If you have encrypted your persistent disk volumes using a CMEK key, then the volume backups that Backup for GKE produces for those volumes will be encrypted with this key, even if a different key is registered with theBackupPlan
.new_disk_key
: This is the CMEK key you want to use for encrypting volumes you have restored from backup. This is referenced by theStorageClass
in the restore's target cluster.
There are four different service accounts that may require access to CMEK keys:
agent_robot
: This service account must be granted access to thebplan_key
. This service account will have the form:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com
, wherePROJECT_NUMBER
is the number of your Google Cloud project.non_cmek_service_agent
: When backing up non-CMEK-encrypted volumes, this service account must be granted access to thebplan_key
. This service account will have the form:service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com
, wherePROJECT_NUMBER
is the number of your Google Cloud project.cmek_service_agent
: When backing up CMEK-encrypted volumes, this service account must be granted access to theorig_disk_key
. This service account will have the form:service-TENANT_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
, whereTENANT_PROJECT_NUMBER
is the number of the tenant project assigned for yourBackupPlan
.compute_service_agent
: This service account is used when creating new encrypted volumes for a cluster and must be granted access to thenew_disk_key
. This service account will have the form:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
, wherePROJECT_NUMBER
is the number of your Google Cloud project.
If diskEncryptionKey.kmsKeyServiceAccount is set for the disks, you will need to perform the following steps before creating a backup:
Disable the organization policy
iam.disableCrossProjectServiceAccountUsage
to enable service account impersonation across projects:gcloud resource-manager org-policies disable-enforce \ iam.disableCrossProjectServiceAccountUsage --project=PROJECT_ID
Grant
cmek_service_agent
theroles/iam.serviceAccountTokenCreator
role to create short-lived credentials:gcloud iam service-accounts add-iam-policy-binding \ # Replace the email with the value from # `diskEncryptionKey.kmsKeyServiceAccount` your-kms-key-service-acount@PROJECT_ID.iam.gserviceaccount.com \ --member=service-TENANT_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreator
The following table summarizes which service accounts must be granted access to which keys in various scenarios:
Artifact | Service account | Key |
---|---|---|
config backup cluster | agent_robot | bplan_key |
backup of CMEK-encrypted volume | cmek_service_agent | orig_disk_key |
backup of google-encrypted volume | non_cmek_service_agent | bplan_key |
new CMEK-encrypted volume created during restore | compute_service_agent | new_disk_key |
You can choose to grant access to keys at a project level, which grants access to all keys in that project, or to the individual key.
Grant project level access
You can grant access to keys at a project level, which grants access to all keys in that project.
Use the following instructions to grant access at a project level.
Console
In the Google Cloud console, go to the IAM page.
Click Grant access.
In the New principals field, enter the email address of the service account.
From the Select a role list, select the Cloud KMS CryptoKey Encrypter/Decrypter role.
Click Save.
gcloud
Grant access at a project level.
gcloud projects add-iam-policy-binding PROJECT_ID \ --member serviceAccount:service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
PROJECT_ID
: the ID of the project you want to grant access to.PROJECT_NUMBER
: the number of the project you want to grant access to.
Terraform
Grant access at a project level.
resource "google_project_iam_member" "example_iam_member" { project = "PROJECT_ID" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com" }
Replace the following:
PROJECT_ID
: the ID of the project you want to grant access to.PROJECT_NUMBER
: the number of the project you want to grant access to.
Grant access at key level
Use the following instructions to grant access at the individual key level.
Console
In the Google Cloud console, go to the Key management page.
Click the name of the key ring.
Click the name of the key.
Click the Permissions tab.
Click Grant access.
In the New principals field, enter the email address of the service account.
From the Select a role list, select the Cloud KMS CryptoKey Encrypter/Decrypter role.
Click Save.
gcloud
Grant access at the individual key level.
gcloud kms keys add-iam-policy-binding KEY_NAME \ --keyring KEY_RING \ --location LOCATION \ --member "serviceAccount:service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com" \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
KEY_NAME
: the name of the key.KEY_RING
: the name of the key ring that contains the key.LOCATION
: the Cloud KMS location of the key ring.PROJECT_NUMBER
: the number of the project you want to grant access to.
Terraform
Grant access at the individual key level.
resource "google_kms_crypto_key_iam_member" "crypto_key_iam_member" { crypto_key_id = "projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:service-PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com" }
Replace the following:
PROJECT_ID
: the ID of the project you want to grant access to.LOCATION
: the Cloud KMS location of the key ring.KEY_RING
: the name of the key ring that contains the key.KEY_NAME
: the name of the key.PROJECT_NUMBER
: the number of the project you want to grant access to.
Usage considerations and limitations
If you want to back up a CMEK-encrypted volume, you must grant access to that disk's key, even if you don't enable CMEK encryption in your
BackupPlan
.CMEK keys must be in the same region as the
BackupPlan
to ensure that a regional outage won't remove access to the key while backups are still accessible. However, this constraint cannot be enforced for keys shared with encrypted volumes. When encrypted volumes are involved, it is possible that a restoration may fail even when a backup is available, because the disk encryption key may not be stored in the same region as the backup.
Use and manage external keys
You can use Cloud External Key Manager (Cloud EKM) to create and manage external keys. External keys are pointers to keys that reside outside of Google Cloud. These keys reside with a supported external key management partner. For more information, see Cloud External Key Manager.
After you create an external key with Cloud EKM, you can apply it to a new backup plan by providing the ID of that key when creating a new backup plan. This procedure is the same as applying a Cloud KMS key to a new backup plan.
You can use Key Access Justifications as part of Cloud EKM. Key Access Justifications lets you view the reason for each Cloud EKM request. Additionally, based on the justification provided, you can automatically approve or deny a request. For more information, see Overview.