diff --git a/internal/client/gcp.go b/internal/client/gcp.go
index d31031c..857ef4a 100644
--- a/internal/client/gcp.go
+++ b/internal/client/gcp.go
@@ -135,7 +135,7 @@ func (g *GcpCli) CreateInstance(ctx context.Context, spec *spec.RunnerSpec) (*co
 	inst := &computepb.Instance{
 		Name:        proto.String(name),
 		MachineType: proto.String(util.GetMachineType(g.cfg.Zone, spec.BootstrapParams.Flavor)),
-		Disks:       generateBootDisk(spec.DiskSize, spec.BootstrapParams.Image, spec.SourceSnapshot, spec.DiskType, spec.CustomLabels),
+		Disks:       generateBootDisk(spec.DiskSize, spec.BootstrapParams.Image, spec.SourceSnapshot, spec.DiskType, spec.CustomLabels, spec.BootDiskKmsKeyName),
 		DisplayDevice: &computepb.DisplayDevice{
 			EnableDisplay: proto.Bool(spec.DisplayDevice),
 		},
@@ -323,7 +323,7 @@ func selectStartupScript(osType params.OSType) string {
 	}
 }
 
-func generateBootDisk(diskSize int64, image, snapshot string, diskType string, customLabels map[string]string) []*computepb.AttachedDisk {
+func generateBootDisk(diskSize int64, image, snapshot string, diskType string, customLabels map[string]string, kmsKeyName string) []*computepb.AttachedDisk {
 	disk := []*computepb.AttachedDisk{
 		{
 			Boot: proto.Bool(true),
@@ -345,5 +345,12 @@ func generateBootDisk(diskSize int64, image, snapshot string, diskType string, c
 		disk[0].InitializeParams.SourceImage = nil
 	}
 
+	// Set CMEK (Customer-Managed Encryption Key) for the boot disk
+	if kmsKeyName != "" {
+		disk[0].DiskEncryptionKey = &computepb.CustomerEncryptionKey{
+			KmsKeyName: proto.String(kmsKeyName),
+		}
+	}
+
 	return disk
 }
diff --git a/internal/spec/spec.go b/internal/spec/spec.go
index 1604cf6..f1cfc75 100644
--- a/internal/spec/spec.go
+++ b/internal/spec/spec.go
@@ -145,6 +145,8 @@ type extraSpecs struct {
 	EnableSecureBoot          bool `json:"enable_secure_boot,omitempty" jsonschema:"description=Enable Secure Boot on the VM. Requires a Shielded VM compatible image."`
 	EnableVTPM                bool `json:"enable_vtpm,omitempty" jsonschema:"description=Enable virtual Trusted Platform Module (vTPM) on the VM."`
 	EnableIntegrityMonitoring bool `json:"enable_integrity_monitoring,omitempty" jsonschema:"description=Enable integrity monitoring on the VM."`
+	// CMEK (Customer-Managed Encryption Key) for boot disk
+	BootDiskKmsKeyName string `json:"boot_disk_kms_key_name,omitempty" jsonschema:"description=The Cloud KMS key to use for boot disk encryption. Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key}"`
 	// The Cloudconfig struct from common package
 	cloudconfig.CloudConfigSpec
 }
@@ -205,6 +207,8 @@ type RunnerSpec struct {
 	EnableSecureBoot          bool
 	EnableVTPM                bool
 	EnableIntegrityMonitoring bool
+	// CMEK (Customer-Managed Encryption Key) for boot disk
+	BootDiskKmsKeyName string
 }
 
 func (r *RunnerSpec) MergeExtraSpecs(extraSpecs *extraSpecs) {
@@ -258,6 +262,9 @@ func (r *RunnerSpec) MergeExtraSpecs(extraSpecs *extraSpecs) {
 	if extraSpecs.EnableIntegrityMonitoring {
 		r.EnableIntegrityMonitoring = extraSpecs.EnableIntegrityMonitoring
 	}
+	if extraSpecs.BootDiskKmsKeyName != "" {
+		r.BootDiskKmsKeyName = extraSpecs.BootDiskKmsKeyName
+	}
 }
 
 func (r *RunnerSpec) Validate() error {