This page describes the use of customer-managed encryption keys (CMEK) to manage Google Cloud NetApp Volumes.
About CMEK
NetApp Volumes always encrypts your data with volume-specific keys. NetApp Volumes always encrypts your data at rest.
With CMEK, Cloud Key Management Service wraps your stored volume keys. This feature gives you greater control over the encryption keys you use and the added security of storing the keys on a system or in a ___location different from the data. NetApp Volumes supports Cloud Key Management Service capabilities such as hardware security modules, and the full key management lifecycle of generate, use, rotate, and destroy.
NetApp Volumes supports one CMEK policy per region. A CMEK policy attaches to a storage pool and all volumes created in that pool use it. You can have a mix of storage pools with and without CMEK policies in a region. If you have pools without CMEK in a specific region, you can convert them to CMEK by using the migration action of a region's CMEK policy.
The use of CMEK is optional. If used, CMEK policies are region-specific. You can only configure one policy per region.
Considerations
The following sections include limitations for CMEK to consider.
Key management
Using CMEK makes you solely responsible for your keys and your data.
Cloud KMS configurations
CMEK uses symmetric keys for encryption and decryption.
After all volumes are deleted in a region for a project, the Cloud KMS
configuration returns to a Ready created state. It's used again when
you create the next volume in that region.
Regional key rings
NetApp Volumes only supports regional KMS key rings and they need to reside in the same region as the CMEK policy.
Service level
CMEK supports the Flex, Standard, Premium, and Extreme service levels storage pools.
VPC Service Controls
When you use VPC Service Controls, make sure to consider Limitations of VPC Service Controls for NetApp Volumes.
CMEK organization policy
The CMEK organization policy for NetApp Volumes gives organizations control over data encryption keys and restricts which keys can be used for CMEK. This is achieved by enforcing CMEK usage for encrypting data at rest in new storage pools and allowing organizations to manage encryption keys using Cloud KMS. The organization policy is enforced at storage pool creation and doesn't affect existing storage pools.
Organization policies allow administrators to apply and enforce consistent constraints across all projects and resources. This is important for organizations that manage multiple projects and resources to enforce standardized policies.
There are two types of organization policy constraints that can be applied to CMEK:
Restrict Non-CMEK Services: lets you specify which services within an organization, project, or folder can be configured without CMEK. If you add a service to the deny list or exclude it in the allow list, then resources for that service will require CMEK. By default, this constraint allows the creation of non-CMEK resources.
Restrict CMEK CryptoKey Projects: lets you define which projects can provide KMS keys for CMEK when configuring resources within the organization, project, or folder. If this constraint is set, only KMS keys from the specified projects can be used for CMEK protected resources. If the constraint is not set, CryptoKeys from any project can be used.
For more information about how to apply an organization policy, see Apply a CMEK organization policy.
CMEK options
NetApp Volumes offers support for CMEKs, which can be stored as software keys, hardware keys within an HSM cluster, or as external keys stored in Cloud External Key Manager (Cloud EKM).
For more information, see Cloud Key Management Service.
Disruptions to EKM service
External keys are managed by a third-party, and Google Cloud isn't responsible for key availability.
If the External Key Manager (EKM) notifies Cloud Key Management Service that an external key is unreachable, users receive a detailed error about the key's current state. This causes volumes to go offline, and all read and write operations to the volume will fail.
Users also receive an error if any of the following operations are attempted while EKM is unreachable: