Adding a customer managed encryption key for GCP

By default, a Google-managed encryption key is used to encrypt disks and Cloud SQL instances in Data Lake, FreeIPA, and Data Hub clusters, but you can optionally configure CDP to use a customer-managed encryption key (CMEK) instead.

To set up a CMEK, you should:

  1. Meet the CMEK prerequisites.
  2. create a CDP environment via CDP CLI passing the encryption key.

CMEK prerequisites

Refer to GCP Prerequisites: Customer managed encryption keys.

Create a CDP environment with a CMEK via CDP CLI

The steps below can only be performed via CDP CLI. The CDP web interface does not support specifying a CMEK.


Create an environment passing the --encryption-key parameter as shows in this example:
cdp environments create-gcp-environment \
  --no-use-public-ip \
  --environment-name <ENVIRONMENT_NAME> \
  --credential-name <EXISTING_CREDENTIAL-NAME>\
  --region <REGION>\
  --security-access securityGroupIdForKnox=<SG_NAME1>,defaultSecurityGroupId=<SG_NAME2> \
  --public-key <PUBLIC_SSH_KEY>\
  --log-storage storageLocationBase=<LOGS_STORAGE_LOCATION> \
  --existing-network-params networkName=<NETWORK>,subnetNames=<SUBNET>,sharedProjectId=<PROJECT_ID>\
  --workload-analytics \
  --encryption-key <PATH_TO_THE_ENCRYPTION_KEY>

Next, create a Data Lake and IDBroker mappings using the usual commands. Once the environment is running, Data Hubs can be created using the usual steps.