Use customer-managed encryption keys (CMEK)

This page provides instructions for creating a Memorystore for Redis instance that uses customer-managed encryption keys. It also provides instructions for managing instances that use CMEK. For more information about customer-managed encryption keys for Memorystore, see Customer-managed encryption keys.

Before you begin

  1. Make sure you have the Redis Admin role on your user account.

    Go to the IAM page

Workflow for creating an instance instance that uses CMEK

  1. Create a keyring and create a key in the location where you want the Memorystore instance to be.

  2. Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the ID (KMS_KEYRING_ID) for the keyring. You need this information when granting the service account access to the key.

  3. Grant the Memorystore service account access to the key.

  4. Go to a project and create a Memorystore for Redis instance with CMEK enabled in the same region as the keyring and key.

Your Memorystore for Redis instance is now enabled with CMEK.

Creating a key and keyring

Follow instructions to create a keyring and create a key. Both must be in the same region as your Redis instance. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithn.

Granting the service account access to the key

In order to create a Redis instance that uses CMEK first you must grant a specific Memorystore service account access to the key. Grant access to the Memorystore service account that uses the following format:

service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com

Console

When using the console, you grant the service account access to the key as part of the steps for creating a redis instance that uses CMEK.

gcloud

To grant the service account access to the key, run the following command replacing VARIABLES with appropriate values:

gcloud kms keys add-iam-policy-binding [KMS_KEY_ID] \
--location=[REGION_ID] \
--keyring=[KMS_KEYRING_ID] \
--member=serviceAccount:service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Creating a Memorystore for Redis instance that uses CMEK

To create an instance with customer-managed encryption keys:

Console

  1. Begin by having a keyring and key in the same region where you want to create your Memorystore instance.

  2. Follow the instructions at Creating a Redis instance until you reach the step for enabling a customer-managed encryption key, then return to these instructions.

  3. Select Use a customer-managed encryption key (CMEK).

  4. Use the dropdown menu to select your key.

  5. If the Memorystore service account has not been granted the permissions it needs, a text box appears saying:

    The service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key.

    • Click the Grant button to grant the role permission to the Memorystore service account.
  6. Finish selecting your desired configurations for your instance, and click the Create button to create your CMEK enabled Memorystore for Redis instance.

gcloud

To create an instance that uses customer-managed encryption keys enter the following command, replacing VARIABLES with appropriate values:

gcloud beta redis instances create [INSTANCE_ID] --size=[SIZE] \
--region=[REGION_ID] \
--customer-managed-key=projects/[PROJECT_NAME]/locations/[REGION_ID]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME]

Viewing key information for a CMEK-enabled instance

Follow these instructions to see if CMEK is enabled for your instance, and to view the active key.

Console

  1. In the Google Cloud Console, go to the Memorystore for Redis Instances page.

    Memorystore for Redis

  2. View the Instance details page for your instance by clicking your Instance ID.

  3. Click the Security tab.

  4. The Encryption with a customer managed key section contains a link to the active key, and shows the key reference path. If this section does not appear, CMEK is not enabled for your instance.

gcloud

To verify if CMEK is enabled, and to see the key reference, view the customerManagedKey field by running the following command:

gcloud beta redis instances describe INSTANCE_ID --project=PROJECT --region=REGION

Disabling and re-enabling key versions

For information about what happens when you disable, enable, destroy, or re-enable a key version, see Behavior of destroying/disabling a CMEK key version.

For instructions on how to disable and re-enable key versions, see Enabling and disabling key versions.

For instructions on how to disable and re-enable key versions, see Destroying and restoring key versions.

What's next