Anyone knows how can we enforce the use of EKM (externally managed key) in the GCP KMS? I would like to avoid using Google-generated keys in the KMS as per our company policy.
Thanks
Asked
Active
Viewed 489 times
0
-
I have updated the answer, please check – Ramesh kollisetty Mar 15 '22 at 11:33
-
Is your issue resolved ? If yes, can you post the procedure you've followed as a solution or can you accept or upvote if the existing answer helps. – Ramesh kollisetty Mar 28 '22 at 06:43
1 Answers
0
External key manager (EKM) is the key manager used outside of Google Cloud to manage your keys. You can create and manage external keys either via the internet or via a Virtual Private Cloud (VPC). The key resides on the external system, and is never sent to Google.
You can store external keys in the following external key management partner systems:
Supported today:
Fortanix
Futurex
Thales
Virtru
With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in supported CMEK integration services, or by calling the Cloud Key Management Service API directly.
For more information on EKM refer to the documentation google-kms-ekm.
EDIT-1
Below procedure to implement EKM:
First, you need to create or use an existing key in a supported external key management partner system. This key has a unique URI or key path.
Next, you can grant your Google Cloud project access to use the key, in the external key management partner system.
In your Google Cloud project, you create a Cloud EKM key, using the URI or key path for the externally-managed key.
You can also follow the step-by-step instructions to create a Cloud EKM key accessed via the internet or create a Cloud EKM key accessed via a VPC
EKM while creating VM:
Console -> Compute Engine -> VM Instances -> Create Instance -> Boot disk -> CHANGE -> SHOW ADVANCED CONFIGURATION -> Encryption -> choose the encryption management solution you want to use for the disk.
EKM while creating storage bucket:
Console -> Cloud Storage -> Create Bucket -> Choose how to protect object data -> Enable “customer managed encryption key” By default “Google-managed key” Encryption type will be used. The Cloud Console cannot be used to upload an object with a customer-supplied encryption key. Use gsutil or the client libraries instead.
For more information refer to the documentation cloud storage customer supplied encryption keys.
EDIT -2
Currently it is impossible to enforce EKM as an organization policy constraint.
There is a Feature Request on this similar requirement where the product team is working . You can track the issue here .
As a temporary workaround you can create a log-based alert or metric and filter the audit log with "kmsKeyName" keyword or exclude the keyword for non CMEK logs.
protoPayload.authenticationInfo.principalEmail="SA to filter" protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" "kmsKeyName".
Note that the query can be modified based on your use case.
Ramesh kollisetty
- 245
- 1
- 7
-
Thanks for the reply. But how can we enforce uses to use it for encryption when a storage bucket or a compute engine VM is created? – PJS Mar 09 '22 at 02:52
-
You can enforce using [cloud storage](https://cloud.google.com/storage/docs/encryption) or [compute engine VM creation](https://cloud.google.com/compute/docs/disks/customer-managed-encryption) depending on your use case. – Ramesh kollisetty Mar 09 '22 at 11:52
-
-
-
Thanks for the reply. Actually, I know how to use the EKM, but I want to have a method to force uses can "only" use EKM while users create storage bucket or VM instance. How can I do it? – PJS Mar 11 '22 at 02:59
-