This page describes how to set up a service account and keys for customer-managed encryption keys, and how to create an instance that uses a customer-managed encryption key. To learn more about using customer-managed encryption keys with Cloud SQL, see Overview of customer-managed encryption keys.
Before you begin
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Cloud Console, on the project selector page, select or create a Cloud project.
Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.
- Install and initialize the Cloud SDK.
- Make sure you have the Cloud SQL Admin role on your user account.
- Enable the Cloud Key Management Service API.
Workflow for creating a Cloud SQL instance with CMEK
- gcloud and API users only: Create a service account for each project that requires customer-managed encryption keys.
- Create a keyring and key, and set the location for each key.
- gcloud and API users only: Grant the key access to the service account.
- Copy or write down the key ID (KMS_RESOURCE_ID) and location for the key, and the ID (KMS_RESOURCE_ID) for the keyring. You need this information when granting the key access to the service account.
- Go to a project and create a Cloud SQL instance
with the following options:
- The same location as the customer-managed encryption key
- The customer-managed key configuration
- The customer-managed encryption key ID
Your Cloud SQL instance is now enabled with CMEK.
Creating a service account
You need to create a service account for each project that requires
customer-managed encryption keys. Currently, you can only use
gcloud command-line tool
commands to create the type of service account you need for customer-managed
encryption keys. If you are using the Console, Cloud SQL automatically
creates this service account for you.
To create a service account with
gcloud command-line tool, run the following command:
gcloud beta services identity create --service=sqladmin.googleapis.com \ --project=[USER_PROJECT]
The previous command returns a service account name, using the following format:
You use this service account name during the procedure in Granting the key access to the service account.
Creating a key
You can create the key in the same GCP project as the Cloud SQL instance or in a separate user project. The Cloud KMS key ring location must match the region where you want to create Cloud SQL instance. A multi-region or global region key will not work. The Cloud SQL instance create request fails if the regions don't match.
Warning: Never delete the primary key version that you initially use when you create your instance. You can't restore the backup for the instance if the key version that was originally used when the instance was created is destroyed. Even when the key version is rotated, the original key version must be maintained. If it is destroyed, it can't be re-created.
To create a Cloud KMS key:
- Go to the Cryptographic keys page.
Go to the Cryptographic Keys page
- Click CREATE KEY RING.
- Add a Key ring name. Write down this name because you need it when granting the key access to the service account.
- Add a Key ring location.
- Click CREATE. The Create key page opens.
- Add a Key name.
- Select a Purpose (symmetric or asymmetric).
- Select a Rotation period and Starting on date.
- Click CREATE.
- On the Keys table, click the three dots in the last column, and select Copy Resource ID or write it down. This is the KMS_RESOURCE_ID. You need the KMS_RESOURCE_ID when granting the key access to the service account.
- Create a new key ring.
gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION]Write down this name because you need it when granting the key access to the service account.
- Create a key on the key ring.
gcloud kms keys create [KEY_NAME] --location [LOCATION] \ --keyring [KEYRING_NAME] --purpose encryptionWrite down this name because you need it when granting the key access to the service account.
Granting the key access to the service account
You only need to perform this procedure if you are using gcloud or the API.
To grant access to the service account:
gcloud kms keys add-iam-policy-binding
[KEY_NAME] --location [LOCATION] --keyring [KEY_RING_NAME]
Creating a Cloud SQL instance with CMEK
To create an instance with customer-managed encryption keys:
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click Create instance.
- Choose the database engine.
- Enter a name for the instance. Do not include sensitive or personally identifiable information in your instance name; it is externally visible. You do not need to include the project ID in the instance name. This is created automatically where appropriate (for example, in the log files).
- Enter the password for the
- Set the region for your instance. Place your instance in the same region as the resources that access it. In most cases, you don't need to specify a zone.
- Under Configuration options, select all your configurations options until you reach Machine type and storage.
- Expand Machine type and storage.
- Under Encryption, choose Customer-managed key.
- Select the KMS key from the dropdown menu or manually enter the KMS_RESOURCE_ID. Only KMS keys in the same project and region as the instance are displayed. To choose a KMS key belonging to a different project but in the same region, select Don't see your key? Enter key resource ID and enter the KMS_RESOURCE_ID captured earlier.
- If the service account does not have permission to encrypt/decrypt with
the selected key, a message displays. If this happens, click Grant to
grant the service account the
Cloud IAM role on the selected KMS key.
- Once the configuration options are selected, click Create.
- You see a message explaining the implications of using customer-managed encryption key. Read and acknowledge it to proceed further with instance creation.
gcloud beta sql instances create [INSTANCE_NAME] \ --project [PROJECT_ID] \ --disk-encryption-key [KMS_RESOURCE_ID] \ --database-version=[VERSION] \ --cpu=[NUMBER_CPUS] \ --memory=[MEMORY_SIZE] \ --region=[REGION] \ --root-password=[INSERT-PASSWORD-HERE]
cURLTo create an instance with customer-managed encryption keys, pass
diskEncryptionConfigurationto the command. The value of this parameter is the KMS_RESOURCE_ID you received from the [Creating a key](#key) procedure. This cURL command uses Instances:Insert.
Creating a backup for a CMEK-enabled instance
When you create a backup of a Cloud SQL instance, the backup is encrypted with the same primary key version as the primary instance's customer-managed key.
You will see a message on the Create a backup form that says: "Your backup will be encrypted with the primary version of this instance's customer-managed encryption key. If anyone destroys or disables this key version, all backup data encrypted using that key version will be permanently lost. You can check the primary version for the key in Cloud KMS."
On the backups page, the list of backups enabled with customer-managed encryption keys have two extra columns. One column that shows that the backup is for a CMEK-enabled instance, and a column that displays the key version used to encrypt the backup.
Viewing key information for a CMEK-enabled instance
Once you successfully create a Cloud SQL instance, you can look at the instance list or the instance overview page to see that it was created using a customer-managed encryption key. The details also show the key that was used to create the instance.
Go to the Cloud SQL Instances page.
In the Instances list, scroll to the right until you see the Encryption column. In this column, you see Google-managed and Customer-managed.
Click an instance name to open its Overview page. The customer-managed encryption key is listed in the Configuration pane.
Disabling and re-enabling key versions
See the following topics:
This section describes things to try when you get an error message while setting up or using CMEK-enabled instances.
Cloud SQL administrator operations, such as create, clone, or update, might fail due to Cloud KMS errors, and missing roles or permissions. Common reasons for failure include a missing Cloud KMS key version, a disabled or destroyed Cloud KMS key version, insufficient IAM permissions to access the Cloud KMS key version, or the Cloud KMS key version is in a different region than the Cloud SQL instance. Use the following troubleshooting table to diagnose and resolve common problems.
Customer-managed encryption keys troubleshooting table
|For this error...||The issue might be...||Try this...|
|Per-product, per-project service account not found||The service account name is incorrect.||Make sure you created a service account for the correct user project.
|Cannot grant access to the service account||The user account does not have permission to grant access to this key version.||Add the Organization Administrator role on your user or service account.
|Cloud KMS key version is destroyed||The key version is destroyed.||If the key version is destroyed, you cannot use it to encrypt or decrypt data.|
|Cloud KMS key version is disabled||The key version is disabled.||Re-enable the Cloud KMS key version.
|Insufficient permission to use the Cloud KMS key||The
If the role is already on your account, see Creating a key to learn how to create a new key version. See note.
|Cloud KMS key is not found||The key version does not exist.||Create a new key version. See Creating a key. See note.|
|Cloud SQL instance and Cloud KMS key version are in different regions||The Cloud KMS key version and Cloud SQL instance must be in the same region. It does not work if the Cloud KMS key version is in a global region or multi-region.||Create a key version in the same region where you want to create instances. See Creating a key. See note.|