|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * machine_management/creating_machinesets/creating-machineset-gcp.adoc |
| 4 | + |
| 5 | +[id="machineset-enabling-customer-managed-encryption_{context}"] |
| 6 | += Enabling customer-managed encryption keys for a machine set |
| 7 | + |
| 8 | +Google Cloud Platform (GCP) Compute Engine allows users to supply an encryption key to encrypt data on disks at rest. The key is used to encrypt the data encryption key, not to encrypt the customer's data. By default, Compute Engine encrypts this data by using Compute Engine keys. |
| 9 | + |
| 10 | +You can enable encryption with a customer-managed key by using the Machine API. You must first link:https://cloud.google.com/compute/docs/disks/customer-managed-encryption#before_you_begin[create a KMS key] and assign the correct permissions to a service account. The KMS key name, key ring name, and location are required to allow a service account to use your key. |
| 11 | + |
| 12 | +[NOTE] |
| 13 | +==== |
| 14 | +If you do not want to use a dedicated service account for the KMS encryption, the Compute Engine default service account is used instead. You must grant the default service account permission to access the keys if you do not use a dedicated service account. The Compute Engine default service account name follows the `service-<project_number>@compute-system.iam.gserviceaccount.com` pattern. |
| 15 | +==== |
| 16 | + |
| 17 | +.Procedure |
| 18 | + |
| 19 | +. Run the following command with your KMS key name, key ring name, and location to allow a specific service account to use your KMS key and to grant the service account the correct IAM role: |
| 20 | ++ |
| 21 | +[source,terminal] |
| 22 | +---- |
| 23 | +gcloud kms keys add-iam-policy-binding <key_name> \ |
| 24 | + --keyring <key_ring_name> \ |
| 25 | + --location <key_ring_location> \ |
| 26 | + --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \ |
| 27 | + --role roles/cloudkms.cryptoKeyEncrypterDecrypter |
| 28 | +---- |
| 29 | + |
| 30 | +. Configure the encryption key under the `providerSpec` field in your machine set YAML file. For example: |
| 31 | ++ |
| 32 | +[source,yaml] |
| 33 | +---- |
| 34 | +providerSpec: |
| 35 | + value: |
| 36 | + … |
| 37 | + disks: |
| 38 | + - type: … |
| 39 | + … |
| 40 | + encryptionKey: |
| 41 | + kmsKey: |
| 42 | + name: machine-encryption-key <1> |
| 43 | + keyRing: openshift-encrpytion-ring <2> |
| 44 | + location: global <3> |
| 45 | + projectID: openshift-gcp-project <4> |
| 46 | + kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com <5> |
| 47 | +---- |
| 48 | +<1> The name of the customer-managed encryption key that is used for the disk encryption. |
| 49 | +<2> The name of the KMS key ring that the KMS key belongs to. |
| 50 | +<3> The GCP location in which the KMS key ring exists. |
| 51 | +<4> Optional: The ID of the project in which the KMS key ring exists. If a project ID is not set, the machine set `projectID` in which the machine set was created is used. |
| 52 | +<5> Optional: The service account that is used for the encryption request for the given KMS key. If a service account is not set, the Compute Engine default service account is used. |
| 53 | ++ |
| 54 | +After a new machine is created by using the updated `providerSpec` object configuration, the disk encryption key is encrypted with the KMS key. |
0 commit comments