This topic provides an overview of Key Access Justifications. For information on creating and managing external keys, see Cloud EKM overview.

Key Access Justifications works by adding a field to your Cloud EKM requests that allows you to view the reason for each request. With select external key management partners, you can automatically approve or deny these requests, based on the justification.

How encryption at rest works

Google Cloud encryption at rest works by encrypting your data stored on Google Cloud with an encryption key that lives outside the service where the data is stored. For example, if you encrypt data in Cloud Storage, the service only stores the encrypted information you have stored, whereas the key used to encrypt that data is stored in the Cloud KMS (if you are using customer-managed encryption keys (CMEK)) or in your external key manager (if you are using Cloud External Key Manager).

When you use a Google Cloud service, you want your applications to continue working as described, and this will require your data to be decrypted. For example, if you run a query using BigQuery, the BigQuery service needs to decrypt your data in order to analyze it. In order to do this, BigQuery calls the key manager in order to decrypt the data.

Why would my keys be accessed?

Your encryption keys are most often accessed by automated systems while servicing your own requests and workloads on Google Cloud.

In addition to customer-initiated accesses, a Google employee might need to initiate operations which use your encryption keys for the following reasons:

  • Optimize the structure or quality of data: Google systems might need to access your encryption keys to index, structure, precompute, hash, shard, or cache your data.

  • Back up your data: Google might need to access your encryption keys to back up your data for disaster recovery reasons.

  • Resolve a support request: A Google employee might need to decrypt your data to fulfill the contractual obligation of providing support.

  • Manage and troubleshoot systems: Google personnel can initiate operations which use your encryption keys to perform technical debugging needed for a complex support request or investigation. Access might also be needed to remediate storage failure or data corruption.

  • Ensure data integrity and compliance, and protect against fraud and abuse: Google might need to decrypt data for the following reasons:

    • To ensure the safety and security of your data and accounts.
    • To make sure that you are using Google services in compliance with Google Terms of Service.
    • To investigate complaints by other users and customers, or other signals of abusive activity.
    • To verify that Google services are being used in accordance with the relevant compliance regimes, such as the anti-money laundering regulations.
  • Maintain system reliability: Google personnel can request access to investigate that a suspected service outage doesn't affect you. Also, access might be requested to ensure backup and recovery from outages or system failures.

For the list of justification codes, see justification reason codes for Key Access Justifications.

Managing access to your externally managed keys

Key Access Justifications provides a reason every time your externally managed keys are accessed. Reasons are only provided when keys are externally managed. Accesses to keys stored in Cloud KMS or Cloud HSM don't provide a reason. When a key is stored in your external key manager, you receive a justification for both service-based access (for supported services) and direct API access.

After you are enrolled in Key Access Justifications and using an externally managed key, you immediately receive justifications for every key access.

If you are using Key Access Justifications and Access Approval with an external customer-managed key, administrative access requests can't be processed unless the approvals are signed with the externally managed key after passing a Key Access Justifications policy check for the signing request. All access approvals that are signed by the key appear in Access Transparency logs.

Enabling Key Access Justifications

To enable Key Access Justifications for an organization, you must enroll in Assured Workloads. Key Access Justifications is enabled for all Assured Workloads customers by default.

For information about getting started with Assured Workloads, see How to use Assured Workloads.

Key Access Justifications exclusions

Key Access Justifications only applies to:

  • Operations on encrypted data. For the fields within a given service that are encrypted by an externally managed key, please see the documentation for the given service you are using.
  • The transition from data-at-rest to data-in-use. While Google continues to apply protections to your data-in-use, the Key Access Justifications governs the transition from data-at-rest to data-in-use only.
  • Compute Engine/Persistent Disk CMEK exemptions:
    • Local SSD and auto-restart are excluded.
    • Machine image operations are excluded.

What's next