Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Use Cloud KMS keys in Cloud de Confiance

This page explains how to use Cloud KMS customer-managed encryption keys in other Cloud de Confiance services to secure your resources. For more information, see Customer-managed encryption keys (CMEK).

When a service supports CMEK, it's said to have a CMEK integration. Some services, such as GKE, have multiple CMEK integrations for protecting different types of data related to the service. For a list of services with CMEK integrations, see Enable CMEK for supported services on this page.

Before you begin

Before you can use Cloud KMS keys in other Cloud de Confiance services, you must have a project resource to contain your Cloud KMS keys. We recommend using a separate project for your Cloud KMS resources that does not contain any other Cloud de Confiance resources.

CMEK integrations

Prepare to enable CMEK integration

For the exact steps to enable CMEK, see the documentation for the relevant Cloud de Confiance service. You can find a link to the CMEK documentation for each service in Enable CMEK for supported services on this page. For each service, you can expect to follow steps similar to the following:

Create a key ring or select an existing key ring. The key ring should be located as geographically near as possible to the resources you want to secure.
In the selected key ring, create a key or select an existing key. Ensure that the protection level, purpose, and algorithm for the key are appropriate for the resources you want to protect. This key is the CMEK key.
Get the resource ID for the CMEK key. You need this resource ID later.
Grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key to the service account for the service.

Note: You can grant the Cloud KMS CryptoKey Encrypter/Decrypter role at the key, key ring, project, folder, or organization level. To follow the principle of least privilege, we recommend granting this role at the lowest level that meets your needs.
Caution: As long as your service account has the Cloud KMS CryptoKey Encrypter/Decrypter role, the service can encrypt and decrypt its data. If you revoke the role or if you disable or destroy the CMEK key, the data can no longer be accessed. Leaving your CMEK key inaccessible can affect your services.

After you have created the key and assigned the required permissions, you can create or configure a service to use your CMEK key.

Use Cloud KMS keys with CMEK-integrated services

The following steps use Secret Manager as an example. For the exact steps to use a Cloud KMS CMEK key in a given service, locate that service in the list of CMEK-integrated services.

In Secret Manager, you can use a CMEK to protect data at rest.

In the Cloud de Confiance console, go to the Secret Manager page.

Go to Secret Manager
To create a secret, click Create Secret.
In the Encryption section, select Use a customer-managed encryption key (CMEK).
In the Encryption key box do the following:
1. Optional: To use a key in another project, do the following:
  1. Click Switch project.
  2. Enter all or part of the project name in the search bar, then select the project.
  3. To view available keys for the selected project, click Select.
2. Optional: To filter available keys by location, key ring, name, or protection level, enter search terms in the filter bar.
3. Select a key from the list of available keys in the selected project. You can use the displayed location, key ring, and protection level details to be sure you choose the correct key.
4. If the key you want to use is not shown in the list, then click Enter key manually and enter the resource ID of the key
Finish configuring your secret, and then click Create secret. Secret Manager creates the secret and encrypts it using the specified CMEK key.

Enable CMEK for supported services

To enable CMEK, first locate the desired service in the following table. You can enter search terms in the field to filter the table. Products that integrate with Cloud KMS when using external Cloud EKM keys are indicated in the EKM supported column.

Follow the instructions for each service you want to enable CMEK keys for.

Service	Protected with CMEK	EKM supported	Topic
Artifact Registry	Data in repositories	Yes	Enabling customer-managed encryption keys
BigQuery	Data in BigQuery	Yes	Protecting data with Cloud KMS keys
Cloud Logging	Data in Logging storage	Yes	Manage the keys that protect Logging storage data
Cloud SQL	Data written to databases	Yes	Using customer-managed encryption keys
Cloud Storage	Data in storage buckets	Yes	Using customer-managed encryption keys
Compute Engine	Snapshots	Yes	Protecting resources with Cloud KMS keys
Compute Engine	Custom images	Yes	Protecting resources with Cloud KMS keys
Compute Engine	Machine images	Yes	Protecting resources with Cloud KMS keys
Pub/Sub	Data associated with topics	Yes	Configuring message encryption