Tech ONTAP Blogs

Customer-managed encryption keys with Google Cloud NetApp Volumes

DianePatton
NetApp
429 Views

In the fast-paced world of cloud deployments, organizations strive to optimize their time to market, achieve high availability, and scale rapidly. However, amidst this race for efficiency, regulatory requirements often emerge like guardians of data integrity, insisting on stringent security measures for storing data in the cloud. One such requirement involves the encryption of data at rest and the careful management of encryption keys. 

 

Enter Google Cloud NetApp Volumes, a trusted ally in the realm of encryption. With unwavering dedication, it encrypts at-rest data within volumes by using data encryption keys (also known as volume encryption keys) and key encryption keys (sometimes referred to as envelope keys) by default. These cryptographic guardians, owned and managed by Google, ensure the security of your data without any configuration or setup on your part, but you can’t view, manage, or review logs from these keys. If you’re seeking an extra layer of control or compliance with specific regulations or localities, there’s another path. 

 

Introducing customer-managed encryption keys (CMEK), the pinnacle of encryption sovereignty. With CMEK, organizations can assume complete command over the keys to their data and can store them in a separate location from the data itself. This allows meticulous control, enhanced security, and the ability to align with regulatory frameworks. In this blog, we shed light on how to seamlessly integrate CMEK with Google Cloud NetApp Volumes. 

 

What is a customer-managed encryption key? 

 

Within Google Cloud, the CMEK is a key encryption key (KEK) that wraps the Google- managed data encryption key (DEK). This approach gives your data an extra level of security, because the CMEK KEK isn’t stored in the same location as the data—it’s accessed with the Google Cloud Key Management Service API. The keys can be stored  in software (Cloud KMS keys), in a fully managed Cloud Hardware Security Module (Cloud HSM keys), or off site (Cloud EKM keys). The Cloud KMS keys comply with FIPS 140-2 Level 1.  The Cloud HSM keys comply with FIPS 140-2 Level 3, and the Cloud EKM keys compliance depends on your external key provider.  

 

Within NetApp Volumes, you must configure a CMEK policy per region. (Only one policy is supported per region.) You add the CMEK policy to a storage pool upon creation, and all volumes within that storage pool are encrypted with the CMEK.  You can have storage pools in the same region with and without the CMEK policy attached.  

 

The following diagram shows the CMEK KEK being stored in software within the Google Key Management Service.  

 

DianePatton_0-1726326917982.jpeg

 

If you create a volume in a CMEK- enabled storage pool, NetApp Volumes accesses the KEK in Google Cloud KMS by using Google Identity and Access Management (Google IAM). It wraps the DEK with the KEK for persistent storage. The DEKs are never stored persistently anywhere within NetApp Volumes without being wrapped with the KEK. 

 

On an interval basis, NetApp Volumes continually accesses the KEK to be sure it’s still enabled and hasn’t changed. If the KEK is disabled or deleted from Google KMS, the volume becomes inaccessible in a few hours or less. 

 

The KEK is rotated based on your key configuration in KMS. 

 

How to set up CMEK 

 

You can set up CMEK using the Google CLI or the Google Cloud console. This blog covers the console approach and is fairly straightforward. Setup involves three steps: 

 

  1. Create a key ring and a CMEK. 
  2. Create a CMEK policy and grant NetApp Volumes permissions to access the KMS key. 
  3. Attach the CMEK policy to a new storage pool. 

 

If you want to watch a video with these steps, see How to configure Google Cloud NetApp Volumes customer-managed encryption keys. 

 

Create a key ring and a CMEK 

 

Key rings group keys together to keep your keys organized. You create a key within a key ring, and a key version within the key. 

 

First, create the key ring by using the portal. From the left drop- down menu, select Security and then Key Management. On the top, select + Create Key Ring. Give the key ring a name and select the same region where your storage pool will reside, as shown in the following example. 

 

DianePatton_1-1726327267730.png

 

 Click Create. The page for creating your first key is automatically loaded. Name the key and select the protection level for the key, as shown in the following example. Fill in the other information, including the duration of the “scheduled for destruction state. If you manually delete a key version, this duration is the total number of days you can still retrieve the key version before it is permanently deleted. By default, the duration is 30 days, but you can configure any value between 1 and 120 days, depending on your organization's policies. 

 

DianePatton_2-1726327357318.png

 

Click Create.  Now your customer- managed encryption key and its first version are in place for use in the same region as configured. Let’s put it to use. 

 

Create a CMEK policy and grant the service permissions to access the key 

 

Next, you create a CMEK policy within Google Cloud NetApp Volumes. The policy and the key must be applied to the same region as the storage pool using CMEK.  

 

From NetApp Volumes, select CMEK Policies on the left; then select + Create. Enter the CMEK policy details by providing a name, selecting the same region as your key, and selecting the key from the drop-down menu, as shown here.  

 

DianePatton_0-1726329346402.png

 

 

 

Only the regional key from the same project is shown. You can specify a different project if required, and the user will need permissions to view the KMS  keys in that project. Another option is to enter the KMS key resource path. Click Create. 

 

The policy displays, but it isn’t usable until you allow NetApp Volumes to access the key through authentication. Youll see the key check pending. 

 

DianePatton_1-1726329435984.png

 

From the Show More drop-down menu at the right, select Verify Key Aaccess. The access will fail, but two CLI commands will be displayed to allow authentication. The first command creates a project wide custom role called cmekNetAppVolumesRole with the appropriate permissions. If that role already exists from a prior CMEK policy, you can disregard that command. The second command is a role binding for the specific key that binds that role to the NetApp Volumes service account. This gives NetApp Volumes permission to access the specified KMS key.  

 

DianePatton_2-1726329522599.png

 

The first command requires the roles/iam.roleAdmin (role administrator) permissions on the project within your Google account, and the second command requires the roles/cloudkms.admin (Cloud KMS administrator) role. After verifying that you’ve been assigned those roles to your project in your account, enter those CLI commands in the terminal. If the NetApp Volumes administrator doesn’t have permissions to execute those commands, the commands may be given to KMS administrators.  

 

Your CMEK policy is displayed. Next, you’ll create a storage pool with that policy. 

 

Attach the CMEK policy to a new storage pool 

 

Let’s create a storage pool and a volume within that storage pool that’s using the customer-managed encryption key. 

 

Create a storage pool as usual. All service levels are currently supported. Toward the bottom of the page, open the Encryption section. Select Customer-Managed Encryption Key (CMEK), and select the policy and the encryption key from the drop-down menus.  

 

DianePatton_3-1726329711219.png

 

The storage pool is displayed, and all volumes within that storage pool will use the CMEK. All DEKs used to encrypt data written to any volume within the storage pool will be encrypted using the CMEK KEK. 

 

What if your volumes already exist? 

 

No worries! You can also migrate your current volumes to CMEK, with or without data.  Just keep in mind that all volumes in that region will migrate to the CMEK policy. Go to the CMEK Policy page, and use the drop-down menu under Show More for the policy you want to use. Select the CMEK policy, and from the drop-down menu, select Migrate Volumes to CMEK. You are on your way! 

 

DianePatton_4-1726329857898.png

 

 

Is there anything else to know?  

 

Google Cloud NetApp Volumes CMEK is supported with all service levels, which includes Flex, Standard, Premium, and Extreme. Whatever service level you need, we have you covered. 

 

We don’t currently support backups with CMEK, but this support is coming soon. 

 

Now what? 

Although Google Cloud NetApp Volumes is always very secure, by configuring CMEK you have an additional layer of security for your volumes, all with the same performance and reliability you trust with NetApp Volumes. You can store the keys in Google KMS, on a Google-managed HSM, or in an external key manager, depending on your compliance needs.  

For more information on CMEK, see Customer-managed encryption keys. For additional information on NetApp Volumes with CMEK, visit Manage customer-managed encryption key policies. You can find detailed information about Google's Cloud KMS in Cloud Key Management Service deep dive.  

 

Does your storage comply with your security requirements? With CMEK, give that a big checkmark and rest assured that your data on Google Cloud NetApp Volumes is compliant and secure. 

 

Public