Encrypt data with customer-managed encryption keys

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for creating a Secure Source Manager instance.

When you enable CMEK, data at rest in the instance is encrypted using a key that you manage within Cloud Key Management Service. You can control access to the CMEK key using Identity and Access Management. If you temporarily disable or permanently destroy the CMEK key, data encrypted with that key cannot be accessed.

Cloud KMS can run in the same Google Cloud project as Secure Source Manager or in a separate project where you centrally manage keys for multiple projects. To support separation of duties and greater control over access to keys, we recommend that you create and manage keys in a separate project that doesn't include other Google Cloud resources.

You assign a CMEK key when you create an instance. You can't change the encryption mechanism of an existing instance. If you have a CMEK-encrypted instance, you can't change the encryption mechanism to Google default encryption or assign a different Cloud Key Management Service key for encryption.

The instance must be created in the same location as the CMEK key.

When you use CMEK in Secure Source Manager, your projects can consume Cloud KMS cryptographic requests quotas. CMEK-encrypted instances consume these quotas at creation time. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.

For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.

Create a CMEK key and grant permissions

The following instructions explain how to create a key and grant the Secure Source Manager service account permissions on the key.

1. In the Google Cloud project where you want to manage your keys:

   1. Enable the Cloud KMS API.

   2. Create a key ring and a key using one of the following options:

      • Create the key ring and key directly in Cloud KMS.
      • Use an externally-managed key. Create the external key and then create an Cloud EKM key to make the key available through Cloud KMS.

      The Cloud KMS key location must match the location of the project where you want to create the Secure Source Manager instance.

2. Grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Secure Source Manager service account. Grant this permission on the key you created.

   Console

   1. Go to the Cryptographic keys page.

      Open the Cloud KMS page

   2. Select the key you created.

   3. Grant access to the Secure Source Manager service account:

      1. Click ADD PRINCIPLE.
      2. Add the Secure Source Manager service account. The service account is service-PROJECT-NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com, where PROJECT-NUMBER is the project number of the Google Cloud project where Secure Source Manager is enabled.
      3. In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
      4. Click SAVE.

   4. Repeat the previous step to grant access to the account that will create the Secure Source Manager instance.

   5. Return to the Cryptographic keys page and select the key again.

   6. Select the SHOW INFO PANEL. You should see roles on the Role/Member column.

   gcloud

   1. Run the following command to grant access to the Secure Source Manager service account:

      gcloud kms keys add-iam-policy-binding [--project=PROJECT] \
             KEY --location LOCATION --keyring=KEYRING \
             --member serviceAccount:service-PROJECT-NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com \
             --role roles/cloudkms.cryptoKeyEncrypterDecrypter
      

      Where

      • PROJECT is the ID of the project that contains the key.
      • KEY is the key name.
      • LOCATION is the key location. The key location must match the location of the project where you want to deploy a Secure Source Manager instance.
      • KEYRING is the key ring name.
      • PROJECT-NUMBER is the project number of the Google Cloud project with Secure Source Manager enabled.

   2. Repeat the previous step to grant access to the account that will create the Secure Source Manager instance.

   For more information about this command see the gcloud kms keys add-iam-policy-binding documentation.

You can now create an instance using the API, and specify the key to use for encryption. If you are creating your first Secure Source Manager instance in your project, you will need to manually create the Secure Source Manager service agent by running the following command:

gcloud beta services identity create \
    --service=securesourcemanager.googleapis.com \
    --project=PROJECT

Where PROJECT is the project ID of the project where you will create your Secure Source Manager instance.

Remove access

There are several ways to remove access to a CMEK-encrypted repository:

• Revoke the Cloud KMS CryptoKey Encrypter/Decrypter role from the Secure Source Manager service account using the Google Cloud console or the gcloud CLI.
• Temporarily disable the CMEK key.
• Permanently destroy the CMEK key.

We recommend that you revoke the permissions from the Secure Source Manager service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.

When you disable or destroy the encryption key for an instance, you lose the ability to view or retrieve data from the instance. All data stored in the instance becomes inaccessible, including code history, pull requests, and issues.

Users with the Secure Source Manager Instance Manager role or Instance Owner role can delete the instance.

CMEK organization policies

Secure Source Manager supports organization policy constraints that can require CMEK protection.

Policies can limit which Cloud KMS CryptoKeys can be used for CMEK protection.

• When Secure Source Manager API is in the Deny policy list of services of constraint constraints/gcp.restrictNonCmekServices, Secure Source Manager refuses to create new instances that aren't CMEK-protected.

• When constraints/gcp.restrictCmekCryptoKeyProjects is configured, Secure Source Manager creates CMEK-protected instances that are protected by a CryptoKey from an allowed project, folder, or organization.

For more about configuring organization policies, see CMEK organization policies.

What's next?

• Deploy an instance encrypted with CMEK
• Learn more about CMEK
• Learn more about Google default encryption