Encrypt data with customer-managed encryption keys

This document shows how to use customer-managed encryption keys (CMEK) to encrypt and control data-at-rest in a cloud service through Cloud Key Management Service. CMEK is integrated with code customization for Gemini Code Assist.

If you don't use a CMEK, Google automatically manages the keys that encrypt the data by default. This behavior is known as Google default encryption. With this default behavior, you don't have control over the encryption keys.

In this document, you do the following:

  • Learn how to create a CMEK.
  • Grant permissions to the Gemini Code Assist service account.
  • Create a code repository index with a CMEK.
  • Remove access to a CMEK repository.

By default, Gemini for Google Cloud encrypts customer content at rest. Gemini handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Gemini. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Gemini resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Before you begin

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

  2. In your shell environment, run the gcloud components update command to ensure that you have updated all installed components of the gcloud CLI to the latest version. For this step, you can install and initialize the gcloud CLI, or you can use Cloud Shell.

    gcloud components update
    

Create a CMEK and grant permissions

To create a CMEK and grant the Gemini Code Assist service account permissions on the key, perform the following tasks:

  1. In the Google Cloud project where you want to manage your keys, do the following:

    1. Enable the Cloud Key Management Service API.

    2. Create a key ring and a key using one of the following options:

  2. Grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Gemini Code Assist service account. Grant this permission on the key that you created.

    Console

    1. Go to Key management.

      Go to Key management

    2. Select the key that you created.

    3. Grant access to the Gemini Code Assist service account:

      1. Click Add principal.
      2. Add the Gemini Code Assist service account. The service account is service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com, where PROJECT_NUMBER is the project number of the Google Cloud project where Gemini Code Assist is enabled.
      3. In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
      4. Click Save.
    4. Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.

    5. Return to the Key management page and select the key again.

    6. Select Show info panel. You should see roles in the Role/Member column.

    gcloud

    1. To grant access to the Gemini Code Assist service account, in a shell environment, use the kms keys add-iam-policy-bindingcommand:

      gcloud kms keys add-iam-policy-binding KEY_NAME \
          --project=PROJECT_ID \
          --location=LOCATION \
          --keyring=KEYRING_NAME \
          --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com" \
          --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
      

      Replace the following:

      • KEY_NAME: the key name.
      • PROJECT_ID: the ID of the project that contains the key.
      • LOCATION: the key location.
      • KEYRING_NAME: the key ring name.
      • PROJECT_NUMBER: the project number of the Google Cloud project with Gemini Code Assist enabled.
    2. Repeat the previous step to grant access to the account that will create the code repository index with a CMEK.

    For more information about this command, see the gcloud kms keys add-iam-policy-binding documentation.

You can now create a code repository index with a CMEK using the API, and specify the key to use for encryption.

Create a code repository index with a CMEK

In gcloud CLI, create a new repository in the service that has protection from a CMEK:

gcloud gemini code-repository-indexes create CODE_REPOSITORY_INDEX_NAME \
    --location=LOCATION \
    --kms-key="projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME"

Replace the following:

  • CODE_REPOSITORY_INDEX_NAME: the name of the new code repository index name that you'll create.
  • LOCATION: the key location.
  • KEY_PROJECT_ID: the key project ID.
  • KEYRING_NAME: the key ring name.
  • KEY_NAME: the key name.

Remove access to a CMEK repository

There are several ways to remove access to a CMEK-encrypted repository:

We recommend that you revoke the permissions from the Gemini Code Assist service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.