Encrypt a TPU VM boot disk with a customer-managed encryption key (CMEK)

By default, Cloud TPU encrypts customer content at rest. Cloud TPU handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Cloud TPU. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Cloud TPU resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

After creating a CMEK, you will need to grant the Compute Engine service account access to your key.

Grant permission to use the key

You must grant the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) IAM role on the Cloud KMS key to the Compute Engine service agent in your Google Cloud project. Granting this role allows the Compute Engine service to access and use your encryption key.

To grant the roles/cloudkms.cryptoKeyEncrypterDecrypter role to the Compute Engine service agent, select one of the following options:

gcloud

Run the following command:

gcloud kms keys add-iam-policy-binding KEY_NAME \
    --location LOCATION \
    --keyring RING_NAME \
    --member serviceAccount:service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
    --project KEY_PROJECT_ID

Replace the following:

  • KEY_NAME: the name of your key.
  • LOCATION: the location where you created your key ring.
  • RING_NAME: the name of your key ring.
  • PROJECT_NUMBER: your Google Cloud project number.
  • KEY_PROJECT_ID: your key project ID.

Console

  1. In the Google Cloud console, go to the Key management page.

    Go to Key management

  2. Click the name of the key ring that contains the key.

  3. Click the name of the key that you want to modify.

  4. Click the Permissions tab.

  5. Click Grant access. The Grant access to key pane opens.

  6. In the New principals field, enter the name of the Compute Engine service agent:

    service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

    Replace PROJECT_NUMBER with your Google Cloud project number.

  7. In the Select a role menu, select Cloud KMS CryptoKey Encrypter/Decrypter.

  8. Click Save.

Create a TPU VM with a CMEK

You can specify a CMEK when creating a TPU VM by using the TPU API or the Queued Resources API.

TPU API

To specify a CMEK when creating a TPU VM by using the Cloud TPU API, use the --boot-disk argument to the tpu-vm create command to specify the encryption key to use:

gcloud compute tpus tpu-vm create TPU_NAME \
    --zone ZONE \
    --boot-disk kms-key=projects/PROJECT_ID/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
    --version=TPU_RUNTIME_VERSION \
    --accelerator-type=ACCLERATOR_TYPE

Replace the following:

  • TPU_NAME: the name of your TPU VM.
  • ZONE: the zone where you plan to create your Cloud TPU.
  • PROJECT_ID: your Google Cloud project ID.
  • REGION: the region where you created your key ring.
  • RING_NAME: the name of your key ring.
  • KEY_NAME: the name of your key.
  • TPU_RUNTIME_VERSION: the Cloud TPU software version.
  • ACCELERATOR_TYPE: the accelerator type for your Cloud TPU that you want to create. For more information about supported accelerator types for each TPU version, see TPU versions.

Queued Resources API

To specify a CMEK when creating a TPU VM by using the Queued Resources API, use the --bootdisk argument to the queued-resources create command to specify the encryption key to use:

gcloud compute tpus queued-resources create QUEUED_RESOURCE_ID \
    --zone ZONE \
    --node-id NODE_ID \
    --boot-disk kms-key=projects/PROJECT_ID/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAME \
    --runtime-version=TPU_RUNTIME_VERSION \
    --accelerator-type=ACCLERATOR_TYPE

Replace the following:

  • QUEUED_RESOURCE_ID: the user-assigned ID of the queued resource request.
  • ZONE: the zone where you plan to create your Cloud TPU.
  • NODE_ID: the user-assigned ID of the Cloud TPU which is created when the queued resource request is allocated.
  • PROJECT_ID: your Google Cloud project ID.
  • REGION: the region where you created your key ring.
  • RING_NAME: the name of your key ring.
  • KEY_NAME: the name of your key.
  • TPU_RUNTIME_VERSION: the Cloud TPU software version.
  • ACCELERATOR_TYPE: the accelerator type for your Cloud TPU that you want to create. For more information about supported accelerator types for each TPU version, see TPU versions.

For information about creating TPU VMs with CMEKs by using GKE, see Use customer-managed encryption keys in the GKE documentation.

Deleted or revoked CMEKs

If a CMEK is revoked or deleted, any TPU VM that uses a boot disk encrypted with the deleted or revoked CMEK, won't be automatically shut down. The TPU VM will still be able to access data on the encrypted boot disk until the VM is shut down or restarted. This lets you recover your data if you restore access to a revoked or deleted key. If you re-enable a key, you can start or repair your TPU VM, and the boot disk will be successfully decrypted and loaded.