Adding a customer managed encryption key for GCP

By default, a Google-managed encryption key is used to encrypt disks and Cloud SQL instances in Data Lake, FreeIPA, and Data Hub clusters, but you can optionally configure CDP to use a customer-managed encryption key (CMEK) instead.

To set up a CMEK, you should:

Meet the CMEK prerequisites.
Register a GCP environment in CDP via CDP web UI or CLI. During environment registration, specify the encryption key that you would like to use.

CMEK prerequisites

Refer to GCP Prerequisites: Customer managed encryption keys.

Create a CDP environment with a CMEK

You can pass the CMEK during GCP environment registration in CDP via CDP web interface or CDP CLI.

Steps

CDP UI
CDP CLI

You can register your environment as described in Register a GCP environment from CDP UI, just make sure that on the Data Access and Audit page you enable the following:

Under Customer-Managed Encryprion Keys, click Enable Customer-Managed Keys.
In the same section, select the CMEK:

The following screenshot shows the UI options:

The steps below can only be performed via CDP CLI. Create an environment passing the


       --encryption-key

parameter as shows in this example:

cdp environments create-gcp-environment \
  --no-use-public-ip \
  --environment-name <ENVIRONMENT_NAME> \
  --credential-name <EXISTING_CREDENTIAL-NAME>\
  --region <REGION>\
  --security-access securityGroupIdForKnox=<SG_NAME1>,defaultSecurityGroupId=<SG_NAME2> \
  --public-key <PUBLIC_SSH_KEY>\
  --log-storage storageLocationBase=<LOGS_STORAGE_LOCATION> \
  --existing-network-params networkName=<NETWORK>,subnetNames=<SUBNET>,sharedProjectId=<PROJECT_ID>\
  --workload-analytics \
  --encryption-key <PATH_TO_THE_ENCRYPTION_KEY>

Next, create a Data Lake and IDBroker mappings using the usual commands. Once the environment is running, Data Hubs can be created using the usual steps.