Manage keys with Google’s Cloud Key Management Service

You can use Google Cloud Platform’s Key Management Service (Cloud KMS) to protect your ONTAP encryption keys in a Google Cloud Platform-deployed application.

Key management with Cloud KMS can be enabled with the CLI or the ONTAP REST API.

When using Cloud KMS, be aware that by default a data SVM’s LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider’s authentication services ( If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.

Before you begin
  • Cloud Volumes ONTAP must be running version 9.10.1 or later

  • Volume Encryption (VE) license installed

  • Multi-tenant Encryption Key Management (MTEKM) license installed, starting with Cloud Volumes ONTAP 9.12.1 GA.

  • You must be a cluster or SVM administrator

  • An active Google Cloud Platform subscription

  • Cloud KMS can only be configured on a data SVM


Google Cloud
  1. In your Google Cloud environment, create a symmetric GCP key ring and key.

  2. Create a custom role for your Cloud Volumes ONTAP service account.

    gcloud iam roles create kmsCustomRole
  3. Assign the custom role to the Cloud KMS key and Cloud Volumes ONTAP service account:
    gcloud kms keys add-iam-policy-binding key_name --keyring key_ring_name --location key_location --member serviceAccount:_service_account_Name_ --role projects/customer_project_id/roles/kmsCustomRole

  4. Download service account JSON key:
    gcloud iam service-accounts keys create key-file

Cloud Volumes ONTAP
  1. Connect to the cluster management LIF with your preferred SSH client.

  2. Switch to the advanced privilege level:
    set -privilege advanced

  3. Create a DNS for the data SVM.
    dns create -domains c.<project>.internal -name-servers server_address -vserver SVM_name

  4. Create CMEK entry:
    security key-manager external gcp enable -vserver SVM_name -project-id project -key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name

  5. When prompted, enter the service account JSON key from your GCP account.

  6. Confirm the enabled process succeeded:
    security key-manager external gcp check -vserver svm_name

  7. OPTIONAL: Create a volume to test encryption vol create volume_name -aggregate aggregate -vserver vserver_name -size 10G


If you need to troubleshoot, you can tail the raw REST API logs in the final two steps above:

  1. set d

  2. systemshell -node node -command tail -f /mroot/etc/log/mlog/kmip2_client.log