How to encrypt disks in GCP?

Illustration of a person wearing headphones operating vintage communication equipment, adjusting knobs, and holding a paper, suggesting a radio operator or telegraphist at work. Illustration of a person wearing headphones operating vintage communication equipment, adjusting knobs, and holding a paper, suggesting a radio operator or telegraphist at work.

Today, we're going to talk about encrypting disks in GCP using the Key Management Service, or KMS, and we'll also discuss the three possible ways to encrypt them.

GCP offers robust and versatile encryption solutions. Whether you're looking to encrypt data at rest, in transit, or during processing, GCP has got you covered.

One of the tools that GCP offers for encryption is the Key Management Service, or KMS. KMS allows you to create, import, and manage cryptographic keys for your cloud services. These keys are essential for encrypting and decrypting data.

The first method is using Google-managed encryption keys. This is the default encryption provided by GCP. Here, Google automatically encrypts your data before it's written to disk.

The second method is using customer-managed encryption keys through KMS. This gives you more control over your encryption keys.

And the third method is using customer-supplied encryption keys. This is where you create and manage your own encryption keys outside of GCP.

When you create a disk, it is automatically encrypted with the first method, and if you don’t change any settings, it will always be like that. When we create a disk, the option that is activated is "Google-managed encryption key." And when the disk is created and we check inside, we see "Google-managed."

Now, to use the second method, we first need to create a ring in KMS. This ring is going to be a container for our keys, and this key could be a random one created by Google, or if we have one, we can import it. In our case, we are going to create a software key that will later be used on our disks.

When the key is created inside our ring, we can use it. To do that, when we go to create a disk, in the encryption section, we can choose our encrypted KMS key. And as before, when the disk is created, we can go inside and see how now the disk is not marked as Google-managed because we created the KMS key.

For the third option, we are going to create our own certificate, and to do that, we are going to use a Python script. The problem here is that if you lose this code and for some reason it is needed, you will lose all the information on the disk. As soon as we create the disk and choose the third option, we can paste the key, and now when we go inside the disk, we can see how it is marked as that.

I hope that you enjoy this session and don’t forget to encrypt.


Here' the same article in video form for your convenience: