Customer-managed encryption keys
By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for your Vertex AI Workbench instances.
This page describes some specific benefits and limitations of using CMEK with Vertex AI Workbench and shows how to configure a new Vertex AI Workbench instance to use CMEK.
For information about CMEK in general, including when and why to enable it, see Customer-managed encryption keys.
Benefits of CMEK
In general, CMEK is most useful if you need full control over the keys used to encrypt your data. With CMEK, you can manage your keys within Cloud Key Management Service. For example, you can rotate or disable a key or you can set up a rotation schedule by using the Cloud KMS API.
When you run a Vertex AI Workbench instance, your instance runs on a virtual machine (VM) managed by Vertex AI Workbench. When you enable CMEK for a Vertex AI Workbench instance, Vertex AI Workbench uses the key that you designate, rather than a key managed by Google, to encrypt data on the boot disks of the VM.
The CMEK key doesn't encrypt metadata, like the instance's name and region, associated with your Vertex AI Workbench instance. Metadata associated with Vertex AI Workbench instances is always encrypted using Google's default encryption mechanism.
Limitations of CMEK
To decrease latency and to prevent cases where resources depend on services that are spread across multiple failure domains, Google recommends that you protect regional Vertex AI Workbench instances with keys in the same location.
- You can encrypt regional Vertex AI Workbench instances
by using keys in the same location or in the global location. For example,
you can encrypt data in a disk in zone
us-west1-a
by using a key inus-west1
orglobal
. - You can encrypt global instances by using keys in any location.
- Configuring CMEK for Vertex AI Workbench doesn't automatically configure CMEK for other Google Cloud products that you use. To use CMEK to encrypt data in other Google Cloud products, you must complete additional configuration.
Configure CMEK for your Vertex AI Workbench instance
The following sections describe how to create a key ring and key in Cloud Key Management Service, grant the service account encrypter and decrypter permissions for your key, and create a Vertex AI Workbench instance that uses CMEK.
Before you begin
We recommend using a setup that supports a separation of duties. To configure CMEK for Vertex AI Workbench, you can use two separate Google Cloud projects:
- A Cloud KMS project: a project for managing your encryption key
- A Vertex AI Workbench project: a project for accessing Vertex AI Workbench instances and interacting with any other Google Cloud products that you need for your use case
Alternatively, you can use a single Google Cloud project. To do so, use the same project for all of the following tasks.
Set up the Cloud KMS project
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud KMS API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud KMS API.
Set up the Vertex AI Workbench project
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Notebooks API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Notebooks API.
Set up the Google Cloud CLI
The gcloud CLI is required for some steps on this page and optional for others.Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
Create a key ring and key
When you create a key ring and key, keep the following requirements in mind:
When you choose your key ring's location, use either
global
or the location where your Vertex AI Workbench instance will be.Make sure to create your key ring and key in your Cloud KMS project.
To create a key ring and a key, see Create symmetric encryption keys.
Grant Vertex AI Workbench permissions
To use CMEK for your Vertex AI Workbench instance, you must grant your Vertex AI Workbench instance permission to encrypt and decrypt data using your key. You grant this permission to your project's service agent and the Compute Engine service account.
To find the specific accounts for your Vertex AI Workbench project, use the Google Cloud console.
In the Google Cloud console, go to the IAM page
Select Include Google-provided role grants.
Find the members that match the following email address formats. Make note of the email addresses, and use them in the following steps.
Your project's service agent's email address looks like the following:
service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com
The Compute Engine service account's email address looks like the following:
service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
Replace
NOTEBOOKS_PROJECT_NUMBER
with the project number for your Vertex AI Workbench project.To grant these accounts permission to encrypt and decrypt data using your key, you can use the Google Cloud console or the Google Cloud CLI.
Console
In the Google Cloud console, go to the Cryptographic keys page.
Select your Cloud KMS project.
Click the name of the key ring that you created in Create a key ring and key. The Key ring details page opens.
Select the checkbox for the key that you created in Create a key ring and key. If an info panel labeled with the name of your key isn't already open, click Show info panel.
In the info panel, click
Add member. The Add members to "KEY_NAME" dialog opens. In this dialog, do the following:In the New members field, enter your project's service agent's email address:
service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com
In the Select a role list, click Cloud KMS and then select the Cloud KMS CryptoKey Encrypter/Decrypter role.
Click Save.
Repeat these steps for the Compute Engine service agent:
service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com
gcloud
To grant your project's service agent permission to encrypt and decrypt data using your key, run the following command:
gcloud kms keys add-iam-policy-binding KEY_NAME \ --keyring=KEY_RING_NAME \ --location=REGION \ --project=KMS_PROJECT_ID \ --member=serviceAccount:service-NOTEBOOKS_PROJECT_NUMBER@gcp-sa-notebooks.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
KEY_NAME
: the name of the key that you created in Create a key ring and keyKEY_RING_NAME
: the key ring that you created in Create a key ring and keyREGION
: the region where you created your key ringKMS_PROJECT_ID
: the ID of your Cloud KMS projectNOTEBOOKS_PROJECT_NUMBER
: the project number of your Vertex AI Workbench project, which you noted in the preceding section as part of a service account email address.
To grant the Compute Engine service account permission to encrypt and decrypt data using your key, run the following command:
gcloud kms keys add-iam-policy-binding KEY_NAME \ --keyring=KEY_RING_NAME \ --location=REGION \ --project=KMS_PROJECT_ID \ --member=serviceAccount:service-NOTEBOOKS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Create a Vertex AI Workbench instance with CMEK
After you have granted your Vertex AI Workbench instance permission to encrypt and decrypt data using your key, you can create a Vertex AI Workbench instance that encrypts data using this key.
The following example shows how to encrypt and decrypt data using your key by using the Google Cloud console.
To create a Vertex AI Workbench instance with a customer-managed encryption key:
In the Google Cloud console, go to the Instances page.
Click
Create new.In the New instance dialog, click Advanced options.
In the Create instance dialog, in the Details section, provide the following information for your new instance:
- Name: a name for your new instance
- Region: the region that your key and key ring are in
- Zone: a zone within the region that you selected
In the Disks section, in Encryption, select Customer-managed encryption key (CMEK).
Click Select a customer-managed key.
- If the customer-managed key that you want to use is in the list, select it.
If the customer-managed key that you want to use isn't in the list, enter the resource ID for your customer-managed key. The resource ID for your customer-managed key looks like the following:
projects/NOTEBOOKS_PROJECT_NUMBER/locations/global/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
Replace the following:
NOTEBOOKS_PROJECT_NUMBER
: the ID of your Vertex AI Workbench projectKEY_RING_NAME
: the key ring that you created in Create a key ring and keyKEY_NAME
: the name of the key that you created in Create a key ring and key
Complete the rest of the instance creation dialog, and then click Create.
What's next
- Learn more about CMEK on Google Cloud.
- Learn how to use CMEK with other Google Cloud products.