Use customer-managed encryption keys (CMEK)

This page provides instructions for creating a Memorystore for Redis Cluster instance that uses customer-managed encryption keys (CMEK). It also provides instructions for managing instances that use CMEK. For more information about CMEK for Memorystore for Redis Cluster, see About customer-managed encryption keys (CMEK).

Before you begin

Make sure that you have the Redis Admin role on your user account.

Go to the IAM page

Workflow to create an instance that uses CMEK

Create a key ring and key in the location where you want the Memorystore for Redis Cluster instance to be.
Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the key ring ID (KMS_KEY_RING_ID). You need this information when granting the service account access to the key.
Grant the Memorystore for Redis Cluster service account access to the key.
Go to a project and create a Memorystore for Redis Cluster instance with CMEK enabled in the same region as the key ring and key.

Your Memorystore for Redis Cluster instance is now enabled with CMEK.

Create a key ring and key

Create a key ring and key. Both must be in the same region as your Memorystore for Redis Cluster instance. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithm.

Grant the Memorystore for Redis Cluster service account access to the key

Before you can create a Memorystore for Redis Cluster instance that uses CMEK, you must grant a specific Memorystore for Redis Cluster service account access to the key.

To grant access to the service account, use the following format:

service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com

gcloud

To grant the service account access to the key, use the gcloud kms keys add-iam-policy-binding command. Replace VARIABLES with appropriate values.

gcloud kms keys add-iam-policy-binding  \
projects/PROJECT_ID/locations/REGION_ID/keyRings/KMS_KEY_RING_ID/cryptoKeys/KMS_KEY_ID \
--member=serviceAccount:service-PROJECT_NUMBER@cloud-redis.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Create a Memorystore for Redis Cluster instance that uses CMEK

gcloud

To create an instance that uses CMEK, use the gcloud beta redis clusters create command. Replace VARIABLES with appropriate values.

gcloud beta redis clusters create INSTANCE_ID \
--project=PROJECT_NAME \
--region=REGION_ID \
--network=NETWORK \
--kms-key=projects/PROJECT_NAME/locations/REGION_ID/keyRings/KMS_KEY_RING_ID/cryptoKeys/KMS_KEY_ID \
--shard-count=SHARD_NUMBER \
--persistence-mode=PERSISTENCE_MODE

View key information for a CMEK-enabled instance

Follow these instructions to see if CMEK is enabled for your instance, and to view the active key.

gcloud

To verify if CMEK is enabled and to see the key reference, use the gcloud redis clusters describe command to view the encryptionInfo and kmsKey fields. Replace VARIABLES with appropriate values.

gcloud redis clusters describe INSTANCE_ID \
--project=PROJECT_NAME \
--region=REGION_ID

Manage key versions

For information about what happens when you disable, destroy, rotate, enable, and restore a key version, see Behavior of a CMEK key version.

For instructions on how to disable and re-enable key versions, see Enable and disable key versions.

For instructions on how to destroy and restore key versions, see Destroy and restore key versions.

What's next

Learn more about backups.
Learn more about persistence.