CMEK support for Encrypting SE Disks for GCP Cloud


This article describes the Customer Managed Encryption Key (CMEK) support for encrypting Service Engine (SE) disks for GCP cloud.

You can encrypt your data, before writing it to the disk, in the cloud storage on the server side. Cloud storage manages the encryption keys on the server side by using the hardened key management systems that is used for your encrypted data. This includes strict key access controls and auditing.

As an additional layer on top of Google-managed encryption keys, you can choose to use keys generated by cloud Key Management Service (KMS). Such keys are known as Customer Managed Encryption Keys (CMEK). If you use CMEK, the system stores your encryption keys within cloud KMS. The project that holds your encryption keys can then be independent from the project that contains your buckets, thus allowing better separation of duties.

Separation of duties is to ensure that you do not have all the necessary permissions to complete a malicious action. In cloud KMS, you need to use a key to access and decrypt data, else the system would not allow you to do the same. Separation of duties is considered to be the best practices for better privacy and security across elements within the organization.

When you apply a customer-managed encryption key to an object, cloud storage uses the key while encrypting the following:

  • The object’s data
  • The object’s CRC32C checksum
  • The object’s MD5 hash


Follow the steps below before using CMEK:

  1. Create a key in Google’s KMS
  2. Provide permissions to Avi cloud service account to use one of the following keys:
    a) cloudkms.cryptoKeys.get, or
    b) role: roles/cloudkms.admin
  3. Provide permissions to the following service accounts to enable Google compute and storage to use the key to encrypt/decrypt data:
    a) cloudkms.cryptoKeyVersions.useToEncrypt
    b) cloudkms.cryptoKeyVersions.useToDecrypt, or
    c) role: roles/cloudkms.cryptoKeyEncrypterDecrypter

The following are the keys used for various options:

  • To store bucket and upload image — service-[PROJECT_NUMBER]
  • To create GCP image and disk — service-[PROJECT_NUMBER]

Configuring Google Cloud

While configuring the Google cloud, you need a key to be used for encryption. You can provide the key ID in an URI format as follows:


The following is the CLI format:

message Cloud {
    message GCPConfiguration {
        optional string encryption_key_id = 10 [
            (introduced_in) = "18.2.7",
            (f_description) = "Key Resource ID of Customer-Managed Encryption Key (CMEK) used to encrypt Service Engine disks and images."

Note: The key can be in any project independent of the SE project, but should be in the same region as the SEs or it can be global.

Encrypting CMEK

The key provided in the above section will be used to encrypt the following:

  1. The bucket created to upload the raw SE image file.
  2. The GCP image created out of the raw image.
  3. The SE disk when SE is created.

Modifying the Encryption Options

You can modify the encryption options on a cloud that is already created. The modifications include:

  1. Enabling/Disabling encryption

  2. Changing the key for encryption

You can modify the key only if there are no SEs in the system. This increases support for SEs encrypted using different keys. For instance, if the key changes, cloud connector loses its reference and can no longer notify you if it gets deleted.

If encryption options are changed, cloud connector will recreate the SE image in the cloud. This will trigger image upload.

Note the following:

  1. Key format should be in URI format.

  2. Key modification is allowed only if no SEs are created.

  3. Key region must be checked. It should be in the same region as the SEs or be global. You can copy the key ID from the Disk Encryption Key field in the GCP console as shown below.


Additional Reading