Encrypt data with customer-managed encryption keys

Stay organized with collections Save and categorize content based on your preferences.

By default, Secure Source Manager encrypts customer content at rest. Secure Source Manager handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Secure Source Manager. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you track key usage, view audit logs, and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Secure Source Manager resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Cloud KMS can run in a separate project where you centrally manage keys for multiple projects, or the same Google Cloud project as Secure Source Manager. To support separation of duties and greater control over access to keys, we recommend that you create and manage keys in a separate project that doesn't include other Google Cloud resources.

You assign a Cloud KMS key when you create an instance. You can't change the encryption mechanism of an existing instance. If you have a CMEK-encrypted instance, you can't change the encryption mechanism to Google default encryption or assign a different Cloud Key Management Service key for encryption.

The instance must be created in the same [location](/secure-source-manager/docs/locations) as the Cloud KMS key.

When you use CMEK in Secure Source Manager, your projects can consume Cloud KMS cryptographic requests quotas. CMEK-encrypted instances consume these quotas at creation time. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.

Create a CMEK key and grant permissions

The following instructions explain how to create a key and grant the Secure Source Manager service account permissions on the key.

1. In the Google Cloud project where you want to manage your keys:

   1. Enable the Cloud KMS API.

   2. Create a key ring and a key using one of the following options:

      • Create the key ring and key directly in Cloud KMS.
      • Use an externally-managed key. Create the external key and then create an Cloud EKM key to make the key available through Cloud KMS.

      The Cloud KMS key location must match the location of the project where you want to create the Secure Source Manager instance.

2. If you are creating your first Secure Source Manager instance in your project, you will need to manually create the Secure Source Manager service agent by running the following command:

   gcloud beta services identity create \
   --service=securesourcemanager.googleapis.com \
   --project=PROJECT
   

   Where PROJECT is the project ID of the project where you will create your Secure Source Manager instance.

   Once you create the per-product, per-project service account (P4SA) - you must grant the Secure Source Manager Service Agent role (roles/securesourcemanager.serviceAgent) to principal service-PROJECT-NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com or the instance creation will fail.

3. Grant the CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Secure Source Manager service account. Grant this permission on the key you created.

   Console

   1. Go to the Key management page.

      Go to Key Management

   2. Select the key ring you want to use, open the Key ring details page, then select the key you created.

   3. Grant access to the Secure Source Manager service account:

      1. Click ADD PRINCIPLE.
      2. Add the Secure Source Manager service account. The service account is service-PROJECT-NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com, where PROJECT-NUMBER is the project number of the Google Cloud project where Secure Source Manager is enabled.
      3. In Select a role, select Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter.
      4. Click SAVE.

   4. Repeat the previous step to grant access to the account that will create the Secure Source Manager instance.

   5. Return to the Key management page, select your key ring and open the Key ring details page. Then select the key again.

   6. Select the SHOW INFO PANEL. You should see roles on the Role/Member column.

   gcloud

   1. Run the following command to grant access to the Secure Source Manager service account:

      gcloud kms keys add-iam-policy-binding [--project=PROJECT] \
             KEY_NAME --location LOCATION --keyring=KEY_RING \
             --member serviceAccount:service-PROJECT_NUMBER@gcp-sa-sourcemanager.iam.gserviceaccount.com \
             --role roles/cloudkms.cryptoKeyEncrypterDecrypter
      

      Replace the following:

      • PROJECT: the ID of the project that contains the key
      • KEY_NAME: the key name
      • LOCATION: the key location. The key location must match the location of the project where you want to deploy a Secure Source Manager instance
      • KEY_RING: the key ring name
      • PROJECT_NUMBER: the project number of the Google Cloud project with Secure Source Manager enabled

   2. Repeat the previous step to grant access to the account that will create the Secure Source Manager instance.

   For more information about this command see the gcloud kms keys add-iam-policy-binding documentation.

Remove access

There are several ways to remove access to a CMEK-encrypted repository:

• Revoke the Cloud KMS CryptoKey Encrypter/Decrypter role from the Secure Source Manager service account using the Google Cloud console or the gcloud CLI.
• Temporarily disable the CMEK key.
• Permanently destroy the CMEK key.

We recommend that you revoke the permissions from the Secure Source Manager service account before disabling or destroying a key. Changes to permissions are consistent within seconds, so you can observe the impacts of disabling or destroying a key.

When you disable or destroy the encryption key for an instance, you lose the ability to view or retrieve data from the instance. All data stored in the instance becomes inaccessible, including code history, pull requests, and issues.

Users with the Secure Source Manager Instance Manager role or Instance Owner role can delete the instance.

CMEK organization policies

Secure Source Manager supports organization policy constraints that can require CMEK protection.

Policies can limit which Cloud KMS CryptoKeys can be used for CMEK protection.

• When Secure Source Manager API is in the Deny policy list of services of constraint constraints/gcp.restrictNonCmekServices, Secure Source Manager refuses to create new instances that aren't CMEK-protected.

• When constraints/gcp.restrictCmekCryptoKeyProjects is configured, Secure Source Manager creates CMEK-protected instances that are protected by a CryptoKey from an allowed project, folder, or organization.

For more about configuring organization policies, see CMEK organization policies.

What's next?

• Deploy an instance encrypted with CMEK
• Learn more about CMEK
• Learn more about Google default encryption