Google Cloud CMEK
Encrypting your resources quickly and effectively is possible with the help of New Cloud KMS Autokey.
Data security, sovereignty, and privacy in the cloud are all fundamentally regulated by encryption. Though many businesses desire more control over the encryption keys that restrict access to their data, Google Cloud offers default encryption for customer data that is stored in the cloud.
What is CMEK?
The creation, rotation, usage recording, and storage of cryptographic keys can all be made more flexible with Customer-Managed Encryption Keys (CMEK).Although many organisations demand greater control, CMEK offers it, but utilising it involves manual processes that take time and effort to guarantee that the required configurations and controls are applied.
Cloud KMS
Today, Google is happy to announce the debut of Cloud KMS Autokey in preview, which will help to improve the efficiency of CMEK setup. For CMEK, key control procedures are automated by Cloud KMS Autokey. As a result, developers can finish their work more quickly. It includes best practices that can drastically lessen the labour involved in maintaining your own encryption keys.
You generate Cloud KMS keys, which are controlled by the client. An integration of CMEK is deemed to exist for Google services that utilise your keys. Either directly or via Cloud KMS Autokey, you can handle these CMEKs.
GCP Customer Managed Encryption Keys
Google-owned and Google-managed keys are used for default encryption
Google uses the same robust key management mechanisms for its own encrypted data that are used to encrypt all data stored in Google Cloud when it is not in use. User data is encrypted using the AES-256 encryption standard while these key management solutions offer stringent audits and key access controls. The encryption keys used to protect your data are owned and managed by Google. Key usage logs cannot be viewed, managed, or examined. An encryption key (KEK) that is shared by data from several clients may be used. It does not need to be setup, configured, or managed.
SSL keys that are managed by the customer (CMEK)
The encryption keys that are handled by you, the customer, are yours. This feature gives you more control over the keys that are used to encrypt data when it’s at rest within Google Cloud services that support it, as well as creating a cryptographic wall around it. Cloud KMS offers direct CMEK management, as well as the option to use Cloud KMS Autokey to automate provisioning and assignment.
CMEK integrations are available for services that support CMEK. The default encryption provided by Google can be substituted with server-side encryption via CMEK integration. Following the configuration of CMEK, the resource service agent manages the encryption and decryption of resources.
Transparency and end-user effort are eliminated during encryption and decryption since CMEK-integrated services manage resource access. It’s like utilising Google’s default encryption to access the resources. Refer to What a CMEK-integrated service offers for additional details regarding CMEK integration.
Key creation is done automatically with Cloud KMS Autokey. At the same time that resources are created, keyrings and keys are automatically generated, and the IAM roles required for encryption and decryption are allocated. Along with lowering complexity and labor-intensive manual selection, Autokey also streamlines the process by automatically selecting the best type of key for each resource.
Here’s how it operates
BigQuery CMEK
Imagine you are assigned a project that calls for the creation of a BigQuery dataset, Compute Engine instances with persistent discs, and a Google Cloud storage bucket. With a key that you manage, the data in every one of these services must be encrypted. Now that encryption is configured for these resources, you can choose “Cloud KMS with Autokey” from the control panel.
If a key ring hasn’t previously been made for that project and location when you request your key, Cloud KMS Autokey will generate one with your new encryption key in the same spot as your resource.
Three essential aims of CMEK implementation are assisted when creating encryption keys using Cloud KMS Autokey:
Maintaining standardised procedures: The suggestions incorporated inside Cloud KMS Autokey are used by the Cloud KMS Autokey service account to automatically create keys upon request.
Making fine-grained cryptographic keys: To enable or remove a key without compromising numerous protected resources, you can do operations like crypto-shredding with more control because a new key is generated with a granularity suitable for each type of resource.
Getting more done in less time: Instead of having to wait for a developer to request fresh keys from another team, you may immediately generate CMEK-protected resources.
At the level of the resource folder, Cloud KMS Autokey is enabled. The Autokey feature will be available to developers working on projects in that directory. No pre-planning or key creation will be required for those projects by the KMS Administrator.
Within the Cloud KMS Autokey service account, authorised users can request a cryptographic key directly and maintain duty separation. By removing the requirement for elevated key-creation privileges, Terraform and other infrastructure-as-code processes can operate with a smaller attack surface as authorised users. Rather than using the returned key to protect the resource, the Terraform function generates a key handle.
- Once it’s configured, Cloud KMS Autokey functions as a helper for managing keys.
- Should one not already exist, make a key ring specifically for the site.
- Using the guidelines included in Cloud KMS Autokey, create a key with the right location and granularity for the type of resource, if one doesn’t already exist.
- If the project where the encrypted resources are to be located does not already have a service agent, create one now.
- Assign authority on the key to the service agent to encrypt and decrypt data.
