This page describes how to create, configure, and apply customer-managed encryption keys (CMEK) for AlloyDB for PostgreSQL.
To learn more about CMEK, see About CMEK.
Create and authorize a CMEK key for AlloyDB
Create a key in Cloud Key Management Service (Cloud KMS). AlloyDB supports the following kinds of keys:
The key must be in the same location as your AlloyDB cluster. For example, a AlloyDB cluster located in
us-west1can use only keys inus-west1.If you already have a Cloud KMS key in the correct location, you can skip this step.
Grant AlloyDB access to the key.
Using the Google Cloud CLI, create and display the service agent, or display it if the account already exists:
gcloud beta services identity create --service=alloydb.googleapis.com \ --project=PROJECTThe gcloud services identity command creates or gets the service agent that AlloyDB can use to access the Cloud KMS key on your behalf.
The service account ID resembles an email address:
Service identity created: service-xxx@gcp-sa-alloydb.iam.gserviceaccount.comGrant the
cloudkms.cryptoKeyEncrypterDecrypterrole to the service account:gcloud kms keys add-iam-policy-binding KEY \ --location REGION \ --keyring KEYRING \ --project=PROJECT \ --member serviceAccount:service-xxx@gcp-sa-alloydb.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypterReplace the following:
- KEY: the Cloud KMS ID of the key
- REGION: the key's region—for example,
us-central1 - PROJECT: the ID of the key's project
- KEYRING: the ID of the key's Cloud KMS keyring
This role ensures the service account has permission to both encrypt and decrypt with the Cloud KMS key. For more information, see Cloud KMS Permissions and Roles.
Create a CMEK-encrypted cluster
When creating a new cluster, you can choose whether to encrypt it with the default Google-managed encryption or to use a CMEK key instead. For more information, see Create a cluster and its primary instance.
View a cluster's encryption method and CMEK key
Console
The Encryption column of the Clusters page displays whether each cluster in your project uses Google-managed encryption or CMEK.
To see the key details of a cluster using CMEK, click its name in the Resource name column. The subsequent detail page's Encryption key field contains a description of the key, including a link to its own Cloud KMS detail page.
gcloud
Call the gcloud alloydb clusters describe command:
gcloud alloydb clusters describe CLUSTER \
--project=PROJECT \
--region=REGIONReplace the following:
- CLUSTER: the ID of the cluster to describe
- PROJECT: the ID of the cluster's project
- REGION: the cluster's region—for example,
us-central1
The output includes an encryptionInfo field with a summary of the cluster's encryption.
Apply CMEK to backups
When creating a new backup, you can choose whether to encrypt it with the default Google-managed encryption or to use a CMEK key instead. For more information, see Create an on-demand backup or Schedule automatic backups.
You also have the option to apply a CMEK key to the cluster created when restoring from a backup, regardless of that backup's encryption method. For more on this, see Restore a cluster.
View a backup's encryption method and CMEK key
Console
The Encryption column of the Backups page displays whether each cluster in your project uses Google-managed encryption or CMEK.
To see the key details of a backup using CMEK, click Restore. The subsequent detail panel's Encryption key field contains a description of the key, including a link to its own Cloud KMS detail page.
gcloud
Call the gcloud alloydb backups describe command:
gcloud alloydb backups describe CLUSTER \
--project=PROJECT \
--region=REGIONReplace the following:
- CLUSTER: the ID of the backup to describe
- PROJECT: the ID of the backup's project
- REGION: the backup's region—for example,
us-central1
The output includes an encryptionInfo field with a summary of the backup's encryption.
Disable a key
Disabling a cluster's CMEK key makes that cluster's data inaccessible until you enable the key again.
However, disabling a key can take up to three hours to propagate to your AlloyDB cluster. To disable a key while preventing access to your data immediately, follow these steps:
Delete your cluster's primary instance. This does not affect your cluster's data. You can create a new primary instance after re-enabling the key, as described in the following section.
Enable a key
To enable a key, follow these steps:
If you deleted your cluster's primary instance before disabling your key, create a new primary instance.
Enabling a key can take up to three hours to propagate to your cluster. The cluster's data becomes accessible as soon as this propagation happens.
View audit logs for a Cloud KMS key
To view audit logs associated with a particular CMEK key, follow these steps:
Make sure that logging is enabled for the Cloud KMS API in your project.
Go to the Logs Explorer in the Google Cloud console.
Limit the log entries to your Cloud KMS key by adding the following lines to the query builder:
resource.type="cloudkms_cryptokey" resource.labels.location="REGION" resource.labels.key_ring_id="KEYRING" resource.labels.crypto_key_id="KEY"Replace the following:
- REGION: the key's region—for example,
us-central1 - KEYRING: the ID of the key's Cloud KMS keyring
- KEY: the Cloud KMS ID of the key
- REGION: the key's region—for example,
Under normal operations, encrypt and decrypt operations are logged with
INFOseverity. These entries are logged when the instances in your AlloyDB cluster validate the {kms_name_short}} key, which occurs about every five minutes.If AlloyDB fails to access the key, the operations are logged as
ERROR.
View access justifications for a Cloud EKM key
If you use a Cloud EKM key, then you can use Key Access Justifications to view the reason for each Cloud EKM request. Additionally, based on the justification provided, you can automatically approve or deny a request. For more information, see View and act on justifications.