Enter a unique name in the name field for the CMEK policy.
Optional: Add a description in the description field.
Select a region from the region field for the policy.
Select a Cloud KMS key from the following options:
Choose from the Cloud KMS keys from your project that
appear in the drop-down menu.
Select Switch project if you want to look for a
Cloud KMS key in a different project. You need
roles/cloudkms.viewer in the selected project to be able to browse
keys.
Select Enter key manually if you want to enter a key manually.
This is helpful if you don't have permissions to look up the key you
intend to use.
Optional: Add a label in the labels field.
Click Create.
Your CMEK policy appears on the CMEK policies page. The status of the
policy has an exclamation
exclamation mark. The exclamation mark indicates that this policy needs
verification before it's usable. For more information, see
Verify key access.
gcloud
Use the following instructions to create a CMEK policy using the
Google Cloud CLI.
Run the kms-configs command with the following parameters:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Create a CMEK policy\n\nThis page provides instructions for how to create a customer-managed\nencryption key (CMEK) policy.\n\nCreate a CMEK policy\n--------------------\n\nUse the following instructions to create a CMEK policy using the\nGoogle Cloud console or Google Cloud CLI: \n\n### Console\n\n1. Go to the **NetApp Volumes** page in the Google Cloud console.\n\n [Go to NetApp Volumes](https://console.cloud.google.com/netapp/volumes)\n2. Select **CMEK policies**.\n\n3. Under **Create a CMEK policy** , click **Create**.\n\n4. Enter a unique name in the **name** field for the CMEK policy.\n\n5. Optional: Add a description in the **description** field.\n\n6. Select a region from the **region** field for the policy.\n\n7. Select a Cloud KMS key from the following options:\n\n - Choose from the Cloud KMS keys from your project that\n appear in the drop-down menu.\n\n - Select **Switch project** if you want to look for a\n Cloud KMS key in a different project. You need\n `roles/cloudkms.viewer` in the selected project to be able to browse\n keys.\n\n - Select **Enter key manually** if you want to enter a key manually.\n This is helpful if you don't have permissions to look up the key you\n intend to use.\n\n8. Optional: Add a label in the **labels** field.\n\n9. Click **Create**.\n\nYour CMEK policy appears on the CMEK policies page. The status of the\npolicy has an exclamation\nexclamation mark. The exclamation mark indicates that this policy needs\nverification before it's usable. For more information, see\n[Verify key access](/netapp/volumes/docs/configure-and-use/cmek/verify-key-access).\n\n### gcloud\n\nUse the following instructions to create a CMEK policy using the\nGoogle Cloud CLI.\n\n1. Run the `kms-configs` command with the following parameters:\n\n ```bash\n gcloud netapp kms-configs create CONFIG_NAME \\\n --project=PROJECT_ID \\\n --location=LOCATION \\\n --kms-project=KEY_RING_PROJECT \\\n --kms-location=KEY_RING_LOCATION \\\n --kms-keyring=KEY_RING \\\n --kms-key=KEY_NAME\n ```\n\nReplace the following information:\n\n- \u003cvar translate=\"no\"\u003eCONFIG_NAME\u003c/var\u003e: the name of the config to be created.\n This name must be unique per region.\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the name of the project you want to\n create the CMEK policy in.\n\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region of the config to be created\n in. Google Cloud NetApp Volumes only supports one config per region.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING_PROJECT\u003c/var\u003e: the project ID of the project\n hosting the KMS key ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING_LOCATION\u003c/var\u003e: the location of the KMS key\n ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: the name of the KMS key ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the KMS key.\n\nFor more options, see\n[Google Cloud SDK documentation for Cloud Key Management Service](/sdk/gcloud/reference/netapp/kms-configs).\n\nWhat's next\n-----------\n\n[Verify key access](/netapp/volumes/docs/configure-and-use/cmek/verify-key-access)."]]
