Google Cloud Key Management Service (Cloud KMS)

Suggest edits

Before you can create TDE-enabled clusters with a Google Cloud Key Management Service key, an administrator must install and configure Google Cloud Key Management for the Hybrid Manager instance.

This example creates a customer-managed key in Cloud KMS, configures the key provider in the Hybrid Manager, and then uses the key to enable TDE for provisioning a new database cluster with encryption enabled.

If you are running the Hybrid Manager on Google Kubernetes Engine (GKE), it can be practical to use Cloud KMS for key management, as it provides a native integration and alignment with the Google ecosystem's best practices.

Prerequisites

Ensure you have set the parameter for Google Cloud KMS in the values.yaml of the Hybrid Manager. See Adding KMS support to enable it.

Creating the Google Cloud KMS key

Create a customer-managed key using Google Cloud Console, CLI or API in the same project and region where the Hybrid Manager is installed. A key exists on exactly one key ring tied to a specific location.

Use the following configuration for the new key ring:

  • Key ring name: choose a specific name for the key ring

  • Location type: Region

  • Region: Select the same region where Hybrid Manager is deployed

Create the key associated with the new key ring:

  • Key name: choose a specific name for the key

  • Protection level: Software

  • Purpose: symmetric encrypt/decrypt

Review the default settings for the key (e.g. around key rotation, protection level, key material, versions, etc.) and adjust according to your requirements.

Configure the key permissions:

  • Edit the key permissions and grant access for the Google service account that is used by Hybrid Manager. This is the account configured during the Hybrid Manager installation.

  • Ensure encrypt and decrypt permissions are granted (e.g. use the Google built-in Cloud KMS CryptoKey Encrypter and Decrypter roles).

Now that you have created a Google Cloud KMS key, add it to a project in the Hybrid Manager Console.

Assigning the Google Cloud KMS key to a project

Add the created key to a project:

  1. On the Console, go to the project under which you'll create TDE-enabled clusters. You can use a key for several clusters in a project, but we recommend setting up a new key per additional Hybrid Manager project.

  2. On the left-side navigation, select SettingsSecurity, and then + Add a key.

  3. Select a location to configure the key.

  4. Select Google Cloud under Select key management system provider.

  5. In Region, enter the region where Hybrid Manager is deployed, e.g. us-west-2.

  6. In Project ID, enter the ID of the project containing the key ring.

  7. In Key ring name, enter the exact name of the key ring as defined in your Google Cloud account.

  8. In Key name, enter the exact key name as defined in your Google Cloud account.

  9. If desired, you can enter an alternative key name that is easy to remember in (Optional) Enter a friendly name for your key.

  10. Select Add Key.

You can now use this key if you want to enable encryption when you create clusters. The added key will appear as an option when you enable TDE during cluster creation.

← Prev

AWS Key Management Service (KMS)

↑ Up

Enabling Key Management Systems for TDE

Next →

Deleting a key

Could this page be better? Report a problem or suggest an addition!