Disk encryption on GCP
Cloudbreak supports encryption options available on Google Cloud’s Compute Engine. Refer to this section if you would like to encrypt key encryption keys used for cluster storage on Google Cloud.
As stated in Protecting resources with Cloud KMS Keys in Google Cloud documentation, “By default, Compute Engine encrypts customer content at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you want to control and manage this encryption yourself, you can use key encryption keys. Key encryption keys do not directly encrypt your data but are used to encrypt the data encryption keys that encrypt your data.”
Google Cloud’s Compute Engine offers two options for these key encryption keys:
-
Using the Cloud Key Management Service to create and manage encryption keys, known as "customer-managed encryption keys" (CMEK).
-
Creating and managing your own encryption keys, known as "customer-supplied encryption keys" (CSEK).
When Cloudbreak provisions resources in Compute Engine on your behalf, Compute Engine applies data encryption as usual and you have an option to configure one of these two methods to encrypt the encryption keys that are used for data encryption.
Since an encryption option must be specified for each host group, it is possible to either have one encryption key for multiple host groups or to have a separate encryption key for each host group. Once the encryption is configured for a given host group, it is automatically applied to any new devices added as a result of cluster scaling.
Overview of configuring key encryption
In order to configure encryption key encryption by using a KMS key (CMEK) or a custom key (CSEK):
-
You must enable all required APIs and permissions as described in Google Cloud documentation.
-
Your encryption key must be in the same project and location where you would like to create clusters.
-
The service account used for the Cloudbreak credential must have the minimum permissions.
-
When creating a cluster, you must explicitly select an existing encryption option for each host group on which you would like to configure disk encryption.
These requirements are described in detail in the following sections.