Manage keys with Google's Cloud Key Management Service
You can use Google Cloud Platform's Key Management Service (Cloud KMS) to protect your ONTAP encryption keys in a Google Cloud Platform-deployed application.
Key management with Cloud KMS can be enabled with the CLI or the ONTAP REST API.
When using Cloud KMS, be aware that by default a data SVM's LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider's authentication services (oauth2.googleapis.com). If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.
-
Cloud Volumes ONTAP must be running version 9.10.1 or later
-
Volume Encryption (VE) license installed
-
Multi-tenant Encryption Key Management (MTEKM) license installed, starting with Cloud Volumes ONTAP 9.12.1 GA.
-
You must be a cluster or SVM administrator
-
An active Google Cloud Platform subscription
-
Cloud KMS can only be configured on a data SVM
Configuration
-
In your Google Cloud environment, create a symmetric GCP key ring and key.
-
Create a custom role for your Cloud Volumes ONTAP service account.
gcloud iam roles create kmsCustomRole --project=<project_id> --title=<kms_custom_role_name> --description=<custom_role_description> --permissions=cloudkms.cryptoKeyVersions.get,cloudkms.cryptoKeyVersions.list,cloudkms.cryptoKeyVersions.useToDecrypt,cloudkms.cryptoKeyVersions.useToEncrypt,cloudkms.cryptoKeys.get,cloudkms.keyRings.get,cloudkms.locations.get,cloudkms.locations.list,resourcemanager.projects.get --stage=GA
-
Assign the custom role to the Cloud KMS key and Cloud Volumes ONTAP service account:
gcloud kms keys add-iam-policy-binding key_name --keyring key_ring_name --location key_location --member serviceAccount:_service_account_Name_ --role projects/customer_project_id/roles/kmsCustomRole
-
Download service account JSON key:
gcloud iam service-accounts keys create key-file --iam-account=sa-name@project-id.iam.gserviceaccount.com
-
Connect to the cluster management LIF with your preferred SSH client.
-
Switch to the advanced privilege level:
set -privilege advanced
-
Create a DNS for the data SVM.
dns create -domains c.<project>.internal -name-servers server_address -vserver SVM_name
-
Create CMEK entry:
security key-manager external gcp enable -vserver SVM_name -project-id project -key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name
-
When prompted, enter the service account JSON key from your GCP account.
-
Confirm the enabled process succeeded:
security key-manager external gcp check -vserver svm_name
-
OPTIONAL: Create a volume to test encryption
vol create volume_name -aggregate aggregate -vserver vserver_name -size 10G
Troubleshoot
If you need to troubleshoot, you can tail the raw REST API logs in the final two steps above:
-
set d
-
systemshell -node node -command tail -f /mroot/etc/log/mlog/kmip2_client.log