By default, Compute Engine
encrypts customer content at
rest
. Compute Engine handles
and manages this encryption for you without any additional actions on your part.
This option is referred to as Google-managed encryption.
However, if you have specific requirements related to compliance or the locality
of cryptographic material, you can customize the encryption Compute Engine
uses for your resources. You can customize encryption by providing
key encryption keys
.
Key encryption keys don't directly encrypt your data, but
encrypt the Google-generated keys Compute Engine uses to
encrypt your data.
You have two options to provide key encryption keys:
Recommended
. Use the
Cloud Key Management Service
(Cloud KMS) in Compute Engine
to create and manage key encryption keys.
Keys managed by the Cloud Key Management Service are known as
customer-managed encryption keys
(CMEKs). After
creating a key, you can use it as a disk's key encryption key.
You can create CMEKs directly, or you can use Cloud KMS Autokey
to create them automatically. For more information, see
Cloud KMS with Autokey
.
In most cases, after you create a CMEK-encrypted disk, you don't need to
specify the key when working with the disk.
You can manage your own key encryption keys outside of Compute Engine,
and provide the key whenever you
create or manage a disk. This option is known as
customer-supplied encryption keys
(CSEKs). When you manage CSEK-encrypted
resources, you must always
specify the key you used when encrypting the resource.
For more information, see
Customer-managed encryption keys
and
Customer-supplied encryption keys
.
Supported disk types
This section lists the supported encryption types for disks and other storage options
offered by Compute Engine.
Encrypt disks with customer-managed encryption keys
For more information about how to use customer-managed encryption keys (CMEK)
to encrypt disks and other Compute Engine resources, see
Protect resources by using Cloud KMS keys
.
Encrypt disks with customer-supplied encryption keys
To learn how to use customer-supplied encryption keys (CSEK) to encrypt
disks and other Compute Engine resources, see
Encrypting disks with customer-supplied encryption keys
.
View information about a disk's encryption
Disks in Compute Engine are encrypted with either Google-managed, customer-managed,
or customer-supplied encryption keys. Google-managed encryption is the default.
To view a disk's encryption type, you can use
the gcloud CLI, Google Cloud console, or the Compute Engine API.
Console
In the Google Cloud console, go to the
Disks
page.
Go to Disks
In the
Name
column, click the name of the disk.
In the
Properties
table, the row labeled
Encryption
indicates the type
of encryption:
Google-managed
,
customer-managed
, or
customer-supplied
.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
Use the
gcloud compute disks describe
command
:
gcloud compute disks describe
DISK_NAME
\
--zone=
ZONE
\
--format="json(diskEncryptionKey)"
Replace the following:
PROJECT_ID
: your project ID.
ZONE
: the zone where your disk is located.
DISK_NAME
: the name of the disk.
Command output
If the output is
null
, the disk uses the Google-managed encryption, which is the default.
Otherwise, the output is a JSON object.
If the JSON object contains a field named
diskEncryptionKey
, the disk is encrypted.
The
diskEncryptionKey
object contains information about whether the disk is
CMEK- or CSEK-encrypted:
API
Make a
POST
request to the
compute.disks.get
method
.
POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/disks/
DISK_NAME
Replace the following:
PROJECT_ID
: your project ID.
ZONE
: the zone where your disk is located.
DISK_NAME
: the name of the disk
Request response
If the response is
null
, the disk uses Google-managed encryption, which is the default.
Otherwise, the response is a JSON object.
If the JSON object contains a field named
diskEncryptionKey
, the disk is encrypted.
The
diskEncryptionKey
object contains information about whether the disk is
CMEK- or CSEK-encrypted:
If the disk uses CMEK-encryption, you can find detailed information about the
key, its key ring and location by following the steps in
View keys by project
.
If the disk uses CSEK-encryption, contact your organization's administrator
for details about the key. Using CMEK, you can also see what resources that key
protects with key usage tracking. For more information, see
View key usage
.
What's next