Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Manage Cloud Volumes ONTAP encryption keys with Google Cloud KMS

Contributors netapp-manini

You can use Google Cloud Platform's Key Management Service (Cloud KMS) to protect your Cloud Volumes ONTAP encryption keys in a Google Cloud Platform-deployed application.

Key management with Cloud KMS can be enabled with the ONTAP CLI or the ONTAP REST API.

When using Cloud KMS, be aware that by default a data SVM's LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider's authentication services (oauth2.googleapis.com). If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.

Before you begin
  • Your system should be running Cloud Volumes ONTAP 9.10.1 or later

  • You must use a data SVM. Cloud KMS can be configured only on a data SVM.

  • You must be a cluster or SVM administrator

  • Volume Encryption (VE) license should be installed on the SVM

  • Beginning with Cloud Volumes ONTAP 9.12.1 GA, the multi-tenant Encryption Key Management (MTEKM) license should also be installed

  • An active Google Cloud Platform subscription is required

Configuration

Google Cloud
  1. In your Google Cloud environment, create a symmetric GCP key ring and key.

  2. Assign a custom role to the Cloud KMS key and Cloud Volumes ONTAP service account.

    1. Create the custom role:

      gcloud iam roles create kmsCustomRole
          --project=<project_id>
          --title=<kms_custom_role_name>
          --description=<custom_role_description>
          --permissions=cloudkms.cryptoKeyVersions.get,cloudkms.cryptoKeyVersions.list,cloudkms.cryptoKeyVersions.useToDecrypt,cloudkms.cryptoKeyVersions.useToEncrypt,cloudkms.cryptoKeys.get,cloudkms.keyRings.get,cloudkms.locations.get,cloudkms.locations.list,resourcemanager.projects.get
          --stage=GA
    2. Assign the custom role you created:
      gcloud kms keys add-iam-policy-binding key_name --keyring key_ring_name --location key_location --member serviceAccount:_service_account_Name_ --role projects/customer_project_id/roles/kmsCustomRole

      Note If you are on Cloud Volumes ONTAP 9.13.0 or later, you don't need to create a custom role. You can assign the predefined cloudkms.cryptoKeyEncrypterDecrypter role.
  3. Download service account JSON key:
    gcloud iam service-accounts keys create key-file --iam-account=sa-name@project-id.iam.gserviceaccount.com

Cloud Volumes ONTAP
  1. Connect to the cluster management LIF with your preferred SSH client.

  2. Switch to the advanced privilege level:
    set -privilege advanced

  3. Create a DNS for the data SVM.
    dns create -domains c.<project>.internal -name-servers server_address -vserver SVM_name

  4. Create CMEK entry:
    security key-manager external gcp enable -vserver SVM_name -project-id project -key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name

  5. When prompted, enter the service account JSON key from your GCP account.

  6. Confirm the enabled process succeeded:
    security key-manager external gcp check -vserver svm_name

  7. OPTIONAL: Create a volume to test encryption vol create volume_name -aggregate aggregate -vserver vserver_name -size 10G

Troubleshoot

If you need to troubleshoot, you can tail the raw REST API logs in the final two steps above:

  1. set d

  2. systemshell -node node -command tail -f /mroot/etc/log/mlog/kmip2_client.log