Some or all of the information on this page might not apply to Trusted Cloud by S3NS. See Differences from Google Cloud for more details.

Customer-managed encryption keys (CMEK)

This document provides an overview of using Cloud Key Management Service (Cloud KMS) for customer-managed encryption keys (CMEK). Using Cloud KMS CMEK gives you ownership and control of the keys that protect your data at rest in Trusted Cloud by S3NS.

Comparison of CMEK and Google Cloud-powered encryption keys

The Cloud KMS keys that you create are customer-managed keys. Trusted Cloud services that use your keys are said to have a CMEK integration. The following factors differentiate Trusted Cloud's default encryption at rest from customer-managed keys:

Type of key	Customer-managed	Google Cloud-powered encryption key (Google default encryption)
Can view key metadata	Yes	No
Ownership of keys¹	Customer	Google
Can manage² and control³ keys	Customer, manual control only	Google
Supports regulatory requirements for customer-managed keys	Yes	No
Key sharing	Unique to a customer	Data from multiple customers is typically protected by shared key encryption keys (KEKs).
Control of key rotation	Yes	No
CMEK organization policies	Yes	No
Log administrative and data access to encryption keys	Yes	No
Logical data separation through encryption	Yes	No
Pricing	Varies by protection level	Free

¹ The owner of the key indicates who holds the rights to the key. Keys that you own have tightly restricted access or no access by Google.

² Management of keys includes the following tasks:

Create keys.
Choose the protection level of the keys.
Assign authority for management of the keys.
Control access to keys.
Control usage of keys.
Set and modify the rotation period of keys, or trigger a rotation of keys.
Change key status.
Destroy key versions.

³ Control of keys means setting controls on the kind of keys and how the keys are used, detecting variance, and planning corrective action if needed. You can control your keys, but delegate management of the keys to a third party.

Default encryption with Google Cloud-powered encryption keys

All data stored within Trusted Cloud is encrypted at rest using the same hardened key management systems that Trusted Cloud uses for our own encrypted data. These key management systems provide strict key access controls and auditing, and encrypt user data at rest using the AES-256 encryption standard. Trusted Cloud owns and controls the keys used to encrypt your data. You can't view or manage these keys or review key usage logs. Data from multiple customers might use the same key encryption key (KEK). No setup, configuration, or management is required.

Customer-managed encryption keys (CMEK)

Customer-managed encryption keys are encryption keys that you own. This capability lets you have greater control over the keys used to encrypt data at rest within supported Trusted Cloud services, and provides a cryptographic boundary around your data.

Services that support CMEK have a CMEK integration. CMEK integration is a server-side encryption technology that you can use in place of Trusted Cloud's default encryption. After CMEK is set up, the operations to encrypt and decrypt resources are handled by the resource service agent. Because CMEK-integrated services handle access to the encrypted resource, encryption and decryption can take place transparently, without end-user effort. The experience of accessing resources is similar to using Trusted Cloud's default encryption. For more information about CMEK integration, see What a CMEK-integrated service provides.

You can use unlimited key versions for each key.

To learn whether a service supports CMEKs, see the list of supported services.

Using Cloud KMS incurs costs related to the number of key versions and cryptographic operations with those key versions.

When to use customer-managed encryption keys

You can use CMEKs in compatible services to help you meet the following goals:

Own your encryption keys.
Control and manage your encryption keys, including choice of location, protection level, creation, access control, rotation, use, and destruction.
Generate key material in Cloud KMS or import key material that is maintained outside of Trusted Cloud.
Set policy regarding where your keys must be used.
Selectively delete data protected by your keys in the case of off-boarding or to remediate security events (crypto-shredding).
Create and use keys that are unique to a customer, establishing a cryptographic boundary around your data.
Log administrative and data access to encryption keys.
Meet current or future regulation that requires any of these goals.

What a CMEK-integrated service provides

Like Trusted Cloud's default encryption, CMEK is server-side, symmetric, envelope encryption of customer data. The difference from Trusted Cloud's default encryption is that CMEK protection uses a key that a customer controls.

Cloud services that have a CMEK integration use keys you create in Cloud KMS to protect your resources.
Services that are integrated with Cloud KMS use symmetric encryption.
You choose the protection level of the key.
All keys are 256-bit AES-GCM.
Key material never leaves the Cloud KMS system boundary.
Your symmetric keys are used to encrypt and decrypt in the envelope encryption model.

CMEK-integrated services handle resource access

The principal that creates or views resources in the CMEK-integrated service does not require the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) for the CMEK used to protect the resource.

Each project resource has a special service account called a service agent that performs encryption and decryption with customer-managed keys. After you give the service agent access to a CMEK, that service agent will use that key to protect the resources of your choice.

When a requester wants to access a resource encrypted with a customer-managed key, the service agent automatically attempts to decrypt the requested resource. If the service agent has permission to decrypt using the key, and you have not disabled or destroyed the key, the service agent provides encrypt and decrypt use of the key. Otherwise, the request fails.

No additional requester access is required, and since the service agent handles the encryption and decryption in the background, the user experience for accessing resources is similar to using Trusted Cloud's default encryption.

Planning and creating CMEKs

When you use CMEKs, you must plan and create key rings, keys, and resource locations before you can create protected resources. You can then use your keys to protect the resources.

For the exact steps to enable CMEK, see the documentation for the relevant Trusted Cloud service. Some services, such as GKE, have multiple CMEK integrations for protecting different types of data related to the service. You can expect to follow steps similar to the following:

Create a Cloud KMS key ring or choose an existing key ring. When creating your key ring, choose a location that is geographically near to the resources you're protecting. The key ring can be in the same project as the resources you're protecting or in different projects. Using different projects gives you greater control over IAM roles and helps support separation of duties.
You create or import a Cloud KMS key in the chosen key ring. This key is the CMEK.
You grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK to the service account for the service.
When creating a resource, configure the resource to use the CMEK. For example, you can configure a BigQuery table to protect data at rest in the table.

For a requester to gain access to the data, they don't need direct access to the CMEK.

As long as the service agent has the CryptoKey Encrypter/Decrypter role, the service can encrypt and decrypt its data. If you revoke this role, or if you disable or destroy the CMEK, that data can't be accessed.

CMEK compliance

Some services have CMEK integrations, and allow you to manage keys yourself. Some services instead offer CMEK compliance, meaning the temporary data and ephemeral key are never written to disk. For a complete list of integrated and compliant services, see CMEK compatible services.

CMEK organization policies

Trusted Cloud offers organization policy constraints to help ensure consistent CMEK usage across an organization resource. These constraints provide controls to Organization Administrators to require CMEK usage and to specify limitations and controls on the Cloud KMS keys used for CMEK protection, including the following:

Limits on which Cloud KMS keys are used for CMEK protection
Limits on the allowed protection levels of keys
Limits on the location of CMEKs
Controls for key version destruction

What's next

See the list of services with CMEK integrations.
See the list of CMEK-compliant services.
See the list of services supported by Autokey.