Using customer-managed encryption keys with Cloud Volumes ONTAP
While Google Cloud Storage always encrypts your data before it's written to disk, you can use the BlueXP API to create a Cloud Volumes ONTAP system that uses customer-managed encryption keys. These are keys that you generate and manage in GCP using the Cloud Key Management Service.
-
Ensure that the BlueXP Connector service account has the correct permissions at the project level, in the project where the key is stored.
The permissions are provided in the Connector service account permissions by default, but may not be applied if you use an alternate project for the Cloud Key Management Service.
The permissions are as follows:
- cloudkms.cryptoKeyVersions.useToEncrypt - cloudkms.cryptoKeys.get - cloudkms.cryptoKeys.list - cloudkms.keyRings.list
-
Ensure that the service account for the Google Compute Engine Service Agent has Cloud KMS Encrypter/Decrypter permissions on the key.
The name of the service account uses the following format: "service-[service_project_number]@compute-system.iam.gserviceaccount.com".
-
Obtain the "id" of the key by invoking the get command for the
/gcp/vsa/metadata/gcp-encryption-keys
API call or by choosing "Copy Resource Name" on the key in the GCP console. -
If using customer-managed encryption keys and tiering data to object storage, BlueXP attempts to utilize the same keys that are used to encrypt the persistent disks. But you'll first need to enable Google Cloud Storage buckets to use the keys:
-
Find the Google Cloud Storage service agent by following the Google Cloud Documentation: Getting the Cloud Storage service agent.
-
Navigate to the encryption key and assign the Google Cloud Storage service agent with Cloud KMS Encrypter/Decrypter permissions.
For more information, refer to Google Cloud Documentation: Using customer-managed encryption keys
-
-
Use the "GcpEncryption" parameter with your API request when creating a working environment.
Example
"gcpEncryptionParameters": { "key": "projects/project-1/locations/us-east4/keyRings/keyring-1/cryptoKeys/generatedkey1" }
Refer to the BlueXP automation docs for more details about using the "GcpEncryption" parameter.