DGtalOcean

Learn, Transform and Grow in Google Cloud with us.

GCP Free Learning
, ,

How to encrypt the data on a Compute Engine instance’s persistent disk in GCP?

by

Deba

GCP Free Learning

You can encrypt data on a Compute Engine instance’s persistent disk in GCP using various encryption options. By default, GCP automatically encrypts data at rest using Google-managed encryption keys. However, you can also use customer-managed encryption keys (CMEK) or customer-supplied encryption keys (CSEK) for more control over your encryption keys.

1. Using Google-managed encryption keys (default):

No additional action is required, as GCP automatically encrypts data at rest on persistent disks using Google-managed encryption keys.

2. Using Customer-managed encryption keys (CMEK):

a. Create a KeyRing and CryptoKey in Cloud Key Management Service (KMS). You can do this in the GCP Console or via gcloud CLI:

  • GCP Console: Navigate to Security > Cryptographic Keys, create a KeyRing, and then create a CryptoKey in that KeyRing.
  • gcloud CLI: Use the following commands to create a KeyRing and CryptoKey:
gcloud kms keyrings create KEYRING_NAME --location LOCATION
gcloud kms keys create CRYPTOKEY_NAME --keyring KEYRING_NAME --location LOCATION --purpose encryption

Replace KEYRING_NAME, CRYPTOKEY_NAME, and LOCATION with appropriate values.

b. When creating a Compute Engine instance with a persistent disk, specify the CryptoKey to use for encryption:

  • GCP Console: In the “Create an instance” dialog, under “Boot disk,” click “Change,” then select “Encryption,” and choose “Customer-managed key” and pick the CryptoKey you created.
  • gcloud CLI: Use the --kms-key flag when creating a new instance:
gcloud compute instances create INSTANCE_NAME --image-family IMAGE_FAMILY --image-project IMAGE_PROJECT --boot-disk-size BOOT_DISK_SIZE --boot-disk-kms-key projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/CRYPTOKEY_NAME --zone ZONE

Replace all placeholders with appropriate values.

3. Using Customer-supplied encryption keys (CSEK):

a. Generate an AES-256 encryption key in base64 format. You can use tools like OpenSSL for this:

openssl rand -base64 32

b. When creating a Compute Engine instance with a persistent disk, specify the customer-supplied encryption key:

  • GCP Console: In the “Create an instance” dialog, under “Boot disk,” click “Change,” then select “Encryption,” and choose “Customer-supplied key” and enter the base64-encoded encryption key.
  • gcloud CLI: Use the --csek-key-file flag when creating a new instance:
echo '{"url": "projects/PROJECT_ID/zones/ZONE/disks/INSTANCE_NAME", "key": "BASE64_KEY", "key-type": "raw"}' > csek_key_file.json
gcloud compute instances create INSTANCE_NAME --image-family IMAGE_FAMILY --image-project IMAGE_PROJECT --boot-disk-size BOOT_DISK_SIZE --csek-key-file csek_key_file.json --zone ZONE

Replace all placeholders with appropriate values.

Remember that with customer-supplied encryption keys, you are responsible for managing and securing the keys. If you lose the key, you will not be able to access the data on the encrypted disk.

By following these steps, you can encrypt the data on a Compute Engine instance’s persistent disk using the desired encryption key management option.

Related posts:

  1. How to create a snapshot of a Compute Engine instance’s boot disk?
  2. How to apply a firewall rule to a specific Compute Engine instance?
  3. What are some use cases for using custom images in Compute Engine?
  4. How to move a Compute Engine instance to a different subnet in GCP?
avatar Deba
May 16, 2023
Home

Glance and Google’s Next-Level Gaming Recommendation Engine

Collaborative Excellence: Glance and Google’s Next-Level Gaming Recommendation Engine Introduction: In the dynamic gaming industry, personalized recommendations are crucial for..

gcp_ml gcp_ml
avatar Deba
May 16, 2023
Home

Digits and Google Cloud ML

How Digits is Transforming the Accounting Landscape Using Google Cloud ML The finance and accounting industry is experiencing a significant..

GCP AI GCP AI
avatar Deba
May 15, 2023
Home

Google Cloud’s Vertex AI Model Garden and the Launch of Generative AI Studio

Google Cloud’s Vertex AI Model Garden and the Launch of Generative AI Studio Artificial Intelligence (AI) and Machine Learning (ML)..

GCP AI/ML GCP AI/ML
avatar Deba
May 15, 2023
Home

Google Cloud’s Pioneering AI Models and the Launch of Generative AI Studio

 Google Cloud’s Pioneering AI Models and the Launch of Generative AI Studio Artificial Intelligence (AI) continues to break new grounds,..

GCP App Engine GCP App Engine
avatar Deba
May 9, 2023
Google App Engine (GAE)

How to scale an App Engine application in GCP?

Scaling an App Engine application involves configuring the scaling settings in the app.yaml file and deploying the changes. I’ll provide..

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts:

  1. How to create a custom machine type in Compute Engine in GCP?
  2. How to apply a firewall rule to a specific Compute Engine instance?
  3. What are some use cases for using custom images in Compute Engine?
  4. How to move a Compute Engine instance to a different subnet in GCP?
  5. How to monitor the performance of a Compute Engine instance in GCP?
  6. How to enable Stackdriver Logging for a Compute Engine instance in GCP?