This page describes how to encrypt content stored in repositories with customer-managed encryption keys (CMEK).
Overview
By default, Google Cloud automatically encrypts data when it is at rest using Google-owned and Google-managed keys. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can create repositories encrypted with CMEK keys. Metadata about a repository, such as the repository name, is encrypted with Google default encryption.
When you enable CMEK, data at rest in repositories is encrypted using a key that you manage within Cloud Key Management Service. You can control access to the CMEK key using Identity and Access Management. If you temporarily disable or permanently destroy the CMEK key, data encrypted with that key cannot be accessed.
CMEK gives you control over more aspects of the lifecycle and management of your keys, but also incurs additional costs for the Cloud KMS service. Artifact Registry repositories and other Google Cloud resources encrypted with CMEK can also consume Cloud KMS quota, depending on the type of key you use. Confirm that you have enough quota to enable application-layer secrets encryption for your applications and workflows.
Cloud KMS can run in the same Google Cloud project as Artifact Registry or in a separate project where you centrally manage keys for multiple projects. To support separation of duties and greater control over access to keys, we recommend that you create and manage keys in a separate project that does include other Google Cloud resources.
You assign a CMEK key when you create a repository. You cannot change the encryption mechanism of an existing repository. If you have a CMEK-encrypted repository, you cannot change the encryption mechanism to Google default encryption or assign a different Cloud KMS key for encryption.
For more information about CMEK in general, including when and why to enable it, see the Cloud KMS documentation.
Creating a key and granting permissions
The following instructions explain how to create a key for a repository and grant permissions to encrypt and decrypt repository data with the key. You can use a key created directly in Cloud KMS or an externally-managed key that you make available with Cloud External Key Manager.
In the Google Cloud project where you want to manage your keys:
Create a key ring and a key using one of the following options:
- Create the key ring and key directly in Cloud KMS.
- Use an externally-managed key. Create the external key and then create an Cloud EKM key to make the key available through Cloud KMS.
The Cloud KMS key location must match the repository location of the repository you will encrypt.
If you have not created a repository in the Artifact Registry project, the Artifact Registry service account does not yet exist. To create the service account, run the following command:
gcloud beta services identity create --service=artifactregistry.googleapis.com --project=PROJECT
Replace PROJECT with the ID of the project where Artifact Registry is running.
Grant the CryptoKey Encrypter/Decrypter IAM role (
roles/cloudkms.cryptoKeyEncrypterDecrypter
) to the Artifact Registry service account. Grant this permission on the key you created.Console
Go to the Cryptographic keys page.
Select the key you created.
Grant access to the Artifact Registry service account:
- Select SHOW INFO PANEL.
- Click ADD MEMBER.
- Add the Artifact Registry service account. The service account is service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com, where PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.
- In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
- Click SAVE.
Repeat the previous step to grant access to the account that will create repositories.
Return to the Cryptographic keys page and select the key again.
Select the SHOW INFO PANEL. You should see roles on the Role/Member column.
gcloud
Run the following command to grant access to the Artifact Registry service account:
gcloud kms keys add-iam-policy-binding [--project=PROJECT] \ KEY --location LOCATION --keyring=KEYRING \ --member serviceAccount:service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Where
- PROJECT is the ID of the project that contains the key.
- KEY is the key name.
- LOCATION is the key location. The key location must matche the repository location of the repository you will encrypt.
- KEYRING is the key ring name.
- PROJECT-NUMBER is the project number of the Google Cloud project that is running Artifact Registry.
Repeat the previous step to grant access to the account that will create repositories.
For more information about this command see the gcloud kms keys add-iam-policy-binding documentation.
You can now create a repository and specify the key to use for encryption.
Removing access
There are several ways to remove access to a CMEK-encrypted repository:
- Revoke the Cloud KMS CryptoKey Encrypter/Decrypter role from the Artifact Registry service account using the Google Cloud console or the gcloud CLI
- Temporarily disable the CMEK key
- Permanently destroy the CMEK key
We recommend that you revoke the permissions from the Artifact Registry service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.
When you disable or destroy the encryption key for a repository, you lose the ability to view or retrieve artifact data. All artifact data stored in the repository becomes inaccessible, including built artifacts, arbitrary binary data (blobs), and manifests such as a Docker manifest or an npm packument file. Users with the Artifact Registry Reader role or Viewer role can still view artifact metadata such as the artifact name, version, or tag.
Users with the Artifact Registry Administrator role or Owner role can delete the repository.
CMEK organization policies
Artifact Registry supports organization policy constraints that can require CMEK protection.
Policies can limit which Cloud KMS CryptoKeys can be used for CMEK protection.
When Artifact Registry API is in the
Deny
policy list of services of constraintconstraints/gcp.restrictNonCmekServices
, Artifact Registry refuses to create new repositories that aren't CMEK-protected.When
constraints/gcp.restrictCmekCryptoKeyProjects
is configured, Artifact Registry creates CMEK-protected repositories that are protected by a CryptoKey from an allowed project, folder, or organization.
Pub/Sub supports the same constraints. When you activate the
Artifact Registry API in a Google Cloud project, Artifact Registry
tries to automatically create a Pub/Sub topic with the topic ID
gcr
using Google-owned and Google-managed keys. When the Pub/Sub API is in the Deny
policy list for the constraint
constraints/gcp.restrictNonCmekServices
, Pub/Sub refuses to
create the topic. To create the gcr
topic with CMEK encryption, see the
Pub/Sub instructions for encrypting topics.
For more about configuring organization policies, see CMEK organization policies.
What's next?
- Create a repository encrypted with CMEK
- Learn more about CMEK
- Learn more about Google default encryption