Adding a customer managed encryption key for GCP
By default, a Google-managed encryption key is used to encrypt disks and Cloud SQL instances in Data Lake, FreeIPA, and Cloudera Data Hub clusters, but you can optionally configure Cloudera to use a customer-managed encryption key (CMEK) instead.
If you set a CMEK for your GCP environment, then the imported Compute Engine images will be encrypted with the CMEK instead of the default Google-managed key.
To set up a CMEK, you should:
- Meet the CMEK prerequisites.
- Register a GCP environment in Cloudera via Cloudera web UI or CDP CLI. During environment registration, specify the encryption key that you would like to use.
CMEK prerequisites
Refer to GCP Prerequisites: Customer managed encryption keys.
Create a Cloudera environment with a CMEK
You can pass the CMEK during GCP environment registration in Cloudera via Cloudera web interface or CDP CLI.
Steps
-
Under Customer-Managed Encryprion Keys, click Enable Customer-Managed Keys.
-
In the same section, select the CMEK:
The following screenshot shows the UI options:
