Using customer-managed encryption keys (CMEK)

This topic describes how to use Customer Managed Encryption Keys (CMEK) on Google Kubernetes Engine (GKE). If you have a need to control management of your keys, you can use Key Management Service and CMEK to protect Persistent Disks in your GKE cluster.


By default, Google Cloud encrypts customer content at rest, and GKE manages encryption for you without any action on your part.

If you want to control and manage encryption key rotation yourself, you can use Customer Managed Encryption Keys (CMEK). These keys are used to encrypt the data encryption keys that encrypt your data. For more information, see Key management.

CMEK-encrypted disks are available in GKE as a dynamically provisioned PersistentVolume.

In GKE, CMEK can protect data on persistent disks attached to nodes in your cluster. Boot disks and control plane disks cannot be protected with CMEK.

Before you begin

Complete these instructions to encrypt newly created Persistent Disks. You can enable CMEK on a new or existing cluster, using a new or existing KMS key.

These instructions need to be completed once per GKE cluster. They create:

  1. If necessary, Create a GKE Cluster.
  2. Deploy the Compute Engine Persistent Disk CSI Driver to your cluster.
  3. Enable the KMS API and create a key by completing the "Before you begin" section of Protecting Resources with Cloud KMS Keys, following the next step below.

    1. Create a key ring in the same region as your GKE Cluster.
    2. Assign the KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Compute Engine Service Agent (service-[PROJECT_NUMBER] This allows GKE to access the key.

Create a StorageClass referencing the new KMS key

  1. Copy the content below into a YAML file. For the rest of this page, we will call it gcepd-sc.yaml. This configuration enables dynamic provisioning of encrypted volumes.

    kind: StorageClass
      name: csi-gce-pd
      type: pd-standard
      disk-encryption-kms-key: projects/[KMS_PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]
    • disk-encryption-kms-key must be the fully qualified resource identifier for the key that will be used to encrypt new disks. Replace the items inside square brackets as appropriate to reference your KMS key.
    • The values in disk-encryption-kms-key (for example: keyRings and cryptoKeys) are case sensitive. Provisioning a new volume with incorrect values results in an invalidResourceUsage error.
    • You can set the StorageClass as the default.
  2. Deploy the StorageClass on your GKE cluster using kubectl:

    kubectl apply -f gcepd-sc.yaml
  3. Finally, verify that your StorageClass used the Compute Engine Persistent Disk CSI driver and includes the ID of your Key.

In the output of the command, verify:

  • The provisioner is set as
  • The ID of your key follows disk-encryption-kms-key.

    kubectl describe storageclass csi-gce-pd
    Name:                  csi-gce-pd
    IsDefaultClass:        No
    Annotations:           None
    AllowVolumeExpansion:  unset
    MountOptions:          none
    ReclaimPolicy:         Delete
    VolumeBindingMode:     WaitForFirstConsumer
    Events:                none

Create an encrypted Persistent Disk in GKE

In this section, you will dynamically provision encrypted Kubernetes storage volumes with your new StorageClass and KMS key.

Dynamically provision an encrypted Compute Engine Persistent Disk

  1. Copy the contents below into a new file named pvc.yaml, and update storageClassName with the name of your newly created StorageClass.
kind: PersistentVolumeClaim
apiVersion: v1
  name: podpvc
    - ReadWriteOnce
  storageClassName: csi-gce-pd
      storage: 6Gi
  1. Apply the PersistentVolumeClaim (PVC) on your GKE cluster using kubectl:

    kubectl apply -f pvc.yaml
  2. Verify the PVC is created and bound to a newly provisioned PersistentVolume by getting the status of your cluster's PersistentVolumeClaim.

    kubectl get pvc
    podpvc     Bound     pvc-e36abf50-84f3-11e8-8538-42010a800002   10Gi
        RWO            csi-gce-pd     9s

You can now use your CMEK-protected Persistent Disk with your GKE cluster.

Removing CMEK protection from a Persistent Disk

To remove CMEK protection from a Persistent Disk, follow the instructions in the Compute Engine documentation.

Next Steps

For more information on CMEK, see:

หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น