Using customer-managed encryption keys with Cloud Volumes ONTAP

Contributors netapp-bcammett felix-melligan Download PDF of this page

While Google Cloud Storage always encrypts your data before it’s written to disk, you can use the Cloud Manager API to create a Cloud Volumes ONTAP system that uses customer-managed encryption keys. These are keys that you generate and manage in GCP using the Cloud Key Management Service.

Steps
  1. Ensure that the Cloud Manager Connector service account has the correct permissions at the project level, in the project where the key is stored.

    The permissions are provided by the Cloud Manager YAML file by default, but may not be applied if you use an alternate project for the Cloud Key Management Service.

    The permissions are as follows:

    - cloudkms.cryptoKeyVersions.list
    - cloudkms.cryptoKeys.get
    - cloudkms.cryptoKeys.list
    - cloudkms.keyRings.list
  2. Ensure that the service account for the Google Compute Engine Service Agent has Cloud KMS Encrypter/Decrypter permissions on the key.

    The name of the service account uses the following format: "service-[service_project_number]@compute-system.iam.gserviceaccount.com".

  3. Obtain the "id" of the key by invoking the get command for the /gcp/vsa/metadata/gcp-encryption-keys API call or by choosing "Copy Resource Name" on the key in the GCP console.

  4. If using customer-managed encryption keys and tiering data to object storage, Cloud Manager attempts to utilize the same keys that are used to encrypt the persistent disks. But you’ll first need to enable Google Cloud Storage buckets to use the keys:

    1. Find the Google Cloud Storage service agent by following the Google Cloud Documentation: Getting the Cloud Storage service agent.

    2. Navigate to the encryption key and assign the Google Cloud Storage service agent with Cloud KMS Encrypter/Decrypter permissions.

  5. Use the "GcpEncryption" parameter with your API request when creating a working environment.

    Example

    "gcpEncryptionParameters": {
        "key": "projects/project-1/locations/us-east4/keyRings/keyring-1/cryptoKeys/generatedkey1"
      }

Refer to the Cloud Manager automation docs for more details about using the "GcpEncryption" parameter.