Manage customer-managed encryption key policies

This page describes the use of customer-managed encryption keys (CMEK) to manage Google Cloud NetApp Volumes.

About CMEK

NetApp Volumes always encrypts your data with volume-specific keys. NetApp Volumes always encrypts your data at rest.

With CMEK, Cloud Key Management Service wraps your stored volume keys. This feature gives you greater control over the encryption keys you use and the added security of storing the keys on a system or in a location different from the data. NetApp Volumes supports Cloud Key Management Service capabilities such as hardware security modules, Cloud External Key Manager, and the full key management lifecycle of generate, use, rotate, and destroy.

NetApp Volumes supports one CMEK policy per region. A CMEK policy attaches to a storage pool and all volumes created in that pool use it. You can have a mix of storage pools with and without CMEK policies in a region. If you have pools without CMEK in a specific region, you can convert them to CMEK by using the migration action of a region's CMEK policy.

The use of CMEK is optional. If used, CMEK policies are region-specific. You can only configure one policy per region.


The following sections include limitations for CMEK to consider.

Key management

Using CMEK makes you solely responsible for your keys and your data.

Cloud KMS configurations

CMEK uses symmetric keys for encryption and decryption. After all volumes are deleted in a region for a project, the Cloud KMS configuration returns to a Ready created state. It's used again when you create the next volume in that region. You can also delete it using the API.

What's next

Create a CMEK policy.