Adding a customer managed encryption key for GCP

By default, a Google-managed encryption key is used to encrypt disks and Cloud SQL instances in Data Lake, FreeIPA, and Cloudera Data Hub clusters, but you can optionally configure Cloudera to use a customer-managed encryption key (CMEK) instead.

If you set a CMEK for your GCP environment, then the imported Compute Engine images will be encrypted with the CMEK instead of the default Google-managed key.

To set up a CMEK, you should:

Meet the CMEK prerequisites.
Register a GCP environment in Cloudera via Cloudera web UI or CDP CLI. During environment registration, specify the encryption key that you would like to use.

CMEK prerequisites🔗

Refer to GCP Prerequisites: Customer managed encryption keys.

Create a Cloudera environment with a CMEK🔗

You can pass the CMEK during GCP environment registration in Cloudera via Cloudera web interface or CDP CLI.

Steps

Cloudera UI
CDP CLI

You can register your environment as described in Register a GCP environment from Cloudera UI, just make sure that on the Data Access and Audit page you enable the following:

Under Customer-Managed Encryprion Keys, click Enable Customer-Managed Keys.
In the same section, select the CMEK:

The following screenshot shows the UI options: