This document shows how to use customer-managed encryption keys (CMEK) to encrypt and control data-at-rest in a cloud service through Cloud Key Management Service. CMEK is integrated with code customization for Gemini Code Assist.
If you don't use a CMEK, Google automatically manages the keys that encrypt the data by default. This behavior is known as Google default encryption. With this default behavior, you don't have control over the encryption keys.
In this document, you do the following:
- Learn how to create a CMEK.
- Grant permissions to the Gemini Code Assist service account.
- Create a code repository index with a CMEK.
- Remove access to a CMEK repository.
By default, Gemini for Google Cloud encrypts customer content at rest. Gemini handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Gemini. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Gemini resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Before you begin
-
In the Google Cloud console, activate Cloud Shell.
In your shell environment, run the
gcloud components update
command to ensure that you have updated all installed components of the gcloud CLI to the latest version. For this step, you can install and initialize the gcloud CLI, or you can use Cloud Shell.gcloud components update
Create a CMEK and grant permissions
To create a CMEK and grant the Gemini Code Assist service account permissions on the key, perform the following tasks:
In the Google Cloud project where you want to manage your keys, do the following:
Create a key ring and a key using one of the following options:
- Create the key ring and key directly in Cloud KMS.
- Use an externally managed key. Create the external key, and then create a Cloud EKM key to make the key available through Cloud KMS.
Grant the CryptoKey Encrypter/Decrypter IAM role (
roles/cloudkms.cryptoKeyEncrypterDecrypter
) to the Gemini Code Assist service account. Grant this permission on the key that you created.Console
Go to Key management.
Select the key that you created.
Grant access to the Gemini Code Assist service account:
- Click Add principal.
- Add the Gemini Code Assist service account. The
service account is
service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com
, where PROJECT_NUMBER is the project number of the Google Cloud project where Gemini Code Assist is enabled. - In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
- Click Save.
Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.
Return to the Key management page and select the key again.
Select Show info panel. You should see roles in the Role/Member column.
gcloud
To grant access to the Gemini Code Assist service account, in a shell environment, use the
kms keys add-iam-policy-binding
command:gcloud kms keys add-iam-policy-binding KEY_NAME \ --project=PROJECT_ID \ --location=LOCATION \ --keyring=KEYRING_NAME \ --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com" \ --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
Replace the following:
- KEY_NAME: the key name.
- PROJECT_ID: the ID of the project that contains the key.
- LOCATION: the key location.
- KEYRING_NAME: the key ring name.
- PROJECT_NUMBER: the project number of the Google Cloud project with Gemini Code Assist enabled.
Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.
For more information about this command, see the
gcloud kms keys add-iam-policy-binding
documentation.
You can now create a code repository index with a CMEK using the API, and specify the key to use for encryption.
Create a code repository index with a CMEK
In gcloud CLI
, create a new repository in the service that has
protection from a CMEK:
gcloud gemini code-repository-indexes create CODE_REPOSITORY_INDEX_NAME \
--location=LOCATION \
--kms-key="projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME"
Replace the following:
- CODE_REPOSITORY_INDEX_NAME: the name of the new code repository index name that you'll create.
- LOCATION: the key location.
- KEY_PROJECT_ID: the key project ID.
- KEYRING_NAME: the key ring name.
- KEY_NAME: the key name.
Remove access to a CMEK repository
There are several ways to remove access to a CMEK-encrypted repository:
- Revoke the Cloud KMS CryptoKey Encrypter/Decrypter role from the Gemini Code Assist service account using the Google Cloud console or the gcloud CLI.
- Temporarily disable the CMEK.
- Permanently destroy the CMEK.
We recommend that you revoke the permissions from the Gemini Code Assist service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.