How to have one Master key in Gcloud and create Data Keys to encrypt. And using the Master Key to decrypt the actual data.? This is possible in AWS KMS. How to implement the same in Gcloud?
Thanks
Asked
Active
Viewed 305 times
1 Answers
0
By default, Compute Engine encrypts customer content at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you want to control and manage this encryption yourself, you can use key encryption keys. Key encryption keys do not directly encrypt your data but are used to encrypt the data encryption keys that encrypt your data.
If making the analogy with AWS "Master key" concept then "key Encryption key (GCP)" is the master key that is use to encrypt the "data encryption key"
AWS: "Plain Text Data"------>"data encryption key"---->"Encrypted data"
"data encryption key"-----> "Master key(AWS)"----> "Encrypted data key"
GCP: "Plain Text Data"------>"data encryption key"---->"Encrypted data"
"data encryption key"----->"key Encryption key(GCP)"----> "Encrypted data key"
As per document-1,You have two options for key encryption keys in Compute Engine:
1- Use Cloud Key Management Service to create and manage key encryption keys. For more information, see Key management. This topic provides details about this option, known as customer-managed encryption keys (CMEK).
2- Create and manage your own key encryption keys. For information about this option, known as customer-supplied encryption keys (CSEK), see Encrypting Disks with Customer-Supplied Encryption Keys.
Encryption: Cloud KMS keys are AES-256 keys. These keys are "key encryption keys" or "Master Keys"(AWS), and they encrypt the "data encryption keys" that encrypt your data.
Cloud KMS allows you to create, import, and manage "cryptographic keys" or "key encryption keys" or "Master Keys"(AWS) and perform cryptographic operations in a single centralized cloud service. You can use these keys and perform these operations by using Cloud KMS directly, by using Cloud HSM or Cloud External Key Manager, or by using Customer-Managed Encryption Keys (CMEK) integrations within other Google Cloud services.
Please note: If you provide your own "encryption keys" or own "key Encryption key" or ""Master key(AWS)" , Compute Engine uses your key to protect the "Google-generated keys" or "data encryption keys" used to encrypt and decrypt your data. Only users who can provide the correct "key Encryption key" can use resources protected by a customer-supplied encryption key.
Sohail Alvi
- 380
- 1
- 6