Create a cluster with key encryption
GCP disk encryption can be configured on the Hardware and Storage page of the advanced create cluster wizard.
You can configure it per host group by clicking on the 
icon next to the chosen host
group. Under Encryption Key you can choose between default encryption, KMS encryption key,
or user-provided custom encryption key.
| Encryption type | Description | How to configure |
|---|---|---|
| Default | The Default encryption option is selected by default because Compute Engine encrypts all customer content at rest. There is no option to turn disk encryption off. | You do not need to do anything. |
| Select an existing KMS key (CMEK) | You can optionally select a previously created KMS key. If such as a key exists
in the selected region, you can select it from the list. The format will be
<key-ring-name>/<key>. |
From the Encryption Key dropdown, select an existing key. |
| Enter an existing custom key (CSEK) | You can optionally provide a custom key. In this case, you must provide a key (max. 255 characters long) and the method used to send this key to Google: either RAW unencrypted format, or RSA encrypted format. Either way, an SHA-256 hashed version of the provided key will be sent, because GCP expects 256 bytes long blocks. |
|
Once the cluster is running, you can confirm that encryption is enabled by navigating to cluster details > Hardware tab. On Google Cloud, you can navigate to Compute Engine > disks > click on disk name, and you should see the Encryption key ID listed.