Manage customer-managed encryption key policies

This page describes the use of customer-managed encryption keys (CMEK) to manage Google Cloud NetApp Volumes.

About CMEK

NetApp Volumes always encrypts your data with volume-specific keys. NetApp Volumes always encrypts your data at rest.

With CMEK, Cloud Key Management Service wraps your stored volume keys. This feature gives you greater control over the encryption keys you use and the added security of storing the keys on a system or in a location different from the data. NetApp Volumes supports Cloud Key Management Service capabilities such as hardware security modules, and the full key management lifecycle of generate, use, rotate, and destroy.

NetApp Volumes supports one CMEK policy per region. A CMEK policy attaches to a storage pool and all volumes created in that pool use it. You can have a mix of storage pools with and without CMEK policies in a region. If you have pools without CMEK in a specific region, you can convert them to CMEK by using the migration action of a region's CMEK policy.

The use of CMEK is optional. If used, CMEK policies are region-specific. You can only configure one policy per region.

Considerations

The following sections include limitations for CMEK to consider.

Key management

Using CMEK makes you solely responsible for your keys and your data.

Cloud KMS configurations

CMEK uses symmetric keys for encryption and decryption. After all volumes are deleted in a region for a project, the Cloud KMS configuration returns to a Ready created state. It's used again when you create the next volume in that region.

Regional key rings

NetApp Volumes only supports regional KMS key rings and they need to reside in the same region as the CMEK policy.

Service level

CMEK supports the Flex, Standard, Premium, and Extreme service levels storage pools.

CMEK is not supported for large volumes in Premium and Extreme service levels.

VPC Service Controls

When you use VPC Service Controls, make sure to consider Limitations of VPC Service Controls for NetApp Volumes.

What's next

Create a CMEK policy.