Use customer-managed encryption keys

Stay organized with collections Save and categorize content based on your preferences.

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for your Vertex AI Workbench managed notebooks instances.

This page describes some specific benefits and limitations of using CMEK with managed notebooks and shows how to configure a new managed notebooks instance to use CMEK.

For information about CMEK in general, including when and why to enable it, see Customer-managed encryption keys.

Benefits of CMEK

In general, CMEK is most useful if you need full control over the keys used to encrypt your data. With CMEK, you can manage your keys within Cloud Key Management Service. For example, you can rotate or disable a key or you can set up a rotation schedule by using the Cloud KMS API.

When you run a managed notebooks instance, your instance runs in a compute infrastructure managed by Google. When you enable CMEK for a managed notebooks instance, Vertex AI Workbench uses the key that you designate, rather than a key managed by Google, to encrypt your user data.

The CMEK key doesn't encrypt metadata, like the instance's name and region, associated with your managed notebooks instance. Metadata associated with managed notebooks instances is always encrypted using Google's default encryption mechanism.

Limitations of CMEK

To decrease latency and to prevent cases where resources depend on services that are spread across multiple failure domains, Google recommends that you protect regional managed notebooks instances with keys in the same location.

  • You can encrypt regional managed notebooks instances by using keys in the same location or in the global location. For example, you can encrypt user data in region us-west1 by using a key in us-west1 or global.
  • Configuring CMEK for managed notebooks doesn't automatically configure CMEK for other Google Cloud products that you use. To use CMEK to encrypt data in other Google Cloud products, you must complete additional configuration.

Configure CMEK for your managed notebooks instance

The following sections describe how to create a key ring and key in Cloud Key Management Service, grant the service account encrypter and decrypter permissions for your key, and create a managed notebooks instance that uses CMEK.

Before you begin

We recommend using a setup that supports a separation of duties. To configure CMEK for managed notebooks, you can use two separate Google Cloud projects:

  • A Cloud KMS project: a project for managing your encryption key
  • A managed notebooks project: a project for accessing managed notebooks instances and interacting with any other Google Cloud products that you need for your use case

Alternatively, you can use a single Google Cloud project. To do so, use the same project for all of the following tasks.

Set up the Cloud KMS project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Enable the Cloud KMS API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  7. Enable the Cloud KMS API.

    Enable the API

Set up the managed notebooks project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Enable the Notebooks API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  7. Enable the Notebooks API.

    Enable the API

Set up the Google Cloud CLI

The gcloud CLI is required for some steps on this page and optional for others. Install and initialize the Google Cloud CLI.

Create a key ring and key

When you create a key ring and key, keep the following requirements in mind:

  • When you choose your key ring's location, use either global or the location where your managed notebooks instance will be.

  • Make sure to create your key ring and key in your Cloud KMS project.

To create a key ring and a key, see Create symmetric encryption keys.

Grant managed notebooks permissions

To use CMEK for your managed notebooks instance, you must grant your managed notebooks instance's project permission to encrypt and decrypt data using your key. This permission must be granted to both the project's Google-managed service account and its service agent.

The service account and service agent are email addresses in the following formats:

Service account
        service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
        
Service agent
        service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com
        

Replace NOTEBOOKS_PROJECT_NUMBER with the project number for your managed notebooks instance's project.

Make note of the email addresses for your service account and service agent. You will use them in the following steps to grant your managed notebooks instance's project permission to encrypt and decrypt data using your key. You can grant permission by using the Google Cloud console or by using the Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Cryptographic keys page.

    Go to Cryptographic keys

  2. Select your Cloud KMS project.

  3. Click the name of the key ring that you created in Create a key ring and key. The Key ring details page opens.

  4. Select the checkbox for the key that you created in Create a key ring and key. If an info panel labeled with the name of your key isn't already open, click Show info panel.

  5. In the info panel, click  Add member. The Add members to "KEY_NAME" dialog opens. In this dialog, do the following:

    1. In the New members field, enter the service account email address that you made a note of in the preceding section:

      service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com

    2. In the Select a role list, click Cloud KMS and then select the Cloud KMS CryptoKey Encrypter/Decrypter role.

    3. Click Save.

  6. Repeat the previous step to enter the service agent email address that you made a note of in the preceding section:

    service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com

gcloud

  1. Run the following command to grant the service account permission to encrypt and decrypt data using your key:

    gcloud kms keys add-iam-policy-binding KEY_NAME \
        --keyring=KEY_RING_NAME \
        --location=REGION \
        --project=KMS_PROJECT_ID \
        --member=serviceAccount:service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
        --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
    

    Replace the following:

    • KEY_NAME: the name of the key that you created in Create a key ring and key
    • KEY_RING_NAME: the key ring that you created in Create a key ring and key
    • REGION: the region where you created your key ring
    • KMS_PROJECT_ID: the ID of your Cloud KMS project
    • NOTEBOOKS_PROJECT_NUMBER: the project number of your managed notebooks project, which you noted in the preceding section as part of a service account email address.
  2. Run the following command to grant the service agent permission to encrypt and decrypt data using your key:

    gcloud kms keys add-iam-policy-binding KEY_NAME \
        --keyring=KEY_RING_NAME \
        --location=REGION \
        --project=KMS_PROJECT_ID \
        --member=serviceAccount:service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com` \
        --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
    

Create a managed notebooks instance with CMEK

After you have granted your managed notebooks instance permission to encrypt and decrypt data using your key, you can create a managed notebooks instance that encrypts data using this key. Use the following steps:

  1. In the Google Cloud console, go to the Managed notebooks page.

    Go to Managed notebooks

  2. Click  New notebook.

  3. In the Notebook name field, enter a name for your instance.

  4. Click the Region list, and select a region for your instance.

  5. Click Advanced settings.

  6. In the Disk encryption section, select Customer-managed encryption key (CMEK).

  7. Click Select a customer-managed key.

    • If the customer-managed key that you want to use is in the list, select it.

    • If the customer-managed key that you want to use isn't in the list, enter the resource ID for your customer-managed key. The resource ID for your customer-managed key looks like this:

        projects/NOTEBOOKS_PROJECT_NUMBER/locations/global/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
      

      Replace the following:

  8. Complete the rest of the Create a managed notebook dialog according to your needs.

  9. Click Create.

  10. Vertex AI Workbench creates a managed notebooks instance based on your specified properties and automatically starts the instance. When the instance is ready to use, Vertex AI Workbench activates an Open JupyterLab link.

What's next