CSEK for Google Cloud Platform
Google Compute Engine allows user to create virtual machines (VMs). By default, the Compute Engine uses the Google-generated encryption keys to encrypt the data to be written on VM. The Google-generated encryption keys are stored on the cloud. Storing the encryption keys on the cloud, however, may not be in compliance with security standards. To avoid this issue, you can control and manage this encryption by providing your own encryption keys known as CSEK. If you provide your own encryption keys, Compute Engine uses that key to encrypt, and therefore protect the Google-generated keys used to encrypt and decrypt your data. Only users having the correct encryption key can use resources protected by a customer-supplied encryption key. For more detailed information, refer to the Google Cloud Platform Documentation.
Before proceeding, ensure that CSEK feature support is available for your country. If your country is not supported, this feature will not work. List of supported countries for CSEK is available in Google Cloud Platform Documentation.
Prerequisites
To use CSEK for Google Cloud Platform ensure that:
CADP for Java is installed and configured. Refer to Quick start for detailed installation instructions and Configuration Parameters for configuration details.
A javac compiler exits in the path.
Any of the supported Java version is installed on your machine. Refer to General system architecture for details.
The high-level steps involved in using CSEK for Google Cloud Platform with CADP for Java are:
Downloading public key certificate from Google.
Generating an AES-256 key on Key Manager.
Wrapping the generated key with the downloaded public key certificate.
Creating a VM using the wrapped key.
Create Encrypted VM using Console
Creating an encrypted VM using Google console involves:
Downloading public key certificate from Google.
Generate an AES-256 key on Key Manager.
Wrapping the generated key with the downloaded public key certificate.
Creating a VM using the wrapped key.
Download Public Key Certificate
Open the https://cloud.google.com/compute/docs/disks/customer-supplied-encryption in a web browser. It is optional to be logged in to Google account to download the certificate.
Scroll down to the Download the public key certificate option (highlighted in the preceding image).
Click the public key certificate link.
Save the certificate (.pem) file to the system where you will be generating the AES-256 key using Key Manager.
Create AES-256 Key
Refer to Create a key for detailed instructions.
Wrap AES Key
Run the ByokSample. This sample is available on github.
Usage
java ByokSample -cloudName [AWS|Salesforce|GoogleCloud] -userName -password -aesKeyName [-publicKeyPath ] -wrappedKeyPath [ -wrappingKeyName RSA KeyName] [-outputFormat base64] -wrappingAlgo [SHA1|SHA256|PKCS1.5] [-hash256Path filePath]
| Parameter | Description |
|---|---|
| cloudName | Name of the cloud where you want to upload your key. |
| userName | Name of the user on Key Manager. |
| password | Password of the user name on Key Manager. The following special characters, * ‘ “ and | are not allowed in the password. |
| aesKeyName | Name of the AES-256 key created on Key Manager. If the key does not exist on Key Manager, the ByokSample first creates an AES-256 key and then wraps it using AWS public key. |
| publicKeyPath | Complete path including the file name of the public key downloaded from the Google Cloud. If the public key is already imported to Key Manager, you can skip this parameter. |
| wrappedKeyPath | Complete path including the file name of the wrapped key. |
| outputFormat | The output format as Base64. |
| wrappingAlgo | Wrapping algorithm. Possible option is SHA1. |
| wrappingKeyName | Name of the RSA public key used to wrap AES key. If the publicKeyPath parameter is provided, the public key available at this location will be imported to Key Manager with the specified name and will be used to wrap the AES key. Else, already existing key with the specified name on Key Manager will be used to wrap the AES Key. |
Example
This example shows how to wrap an AES-256 bit key.
java ByokSample -cloudName googleCloud -userName kmuser -password kmpassword -aesKeyName AES256Key -publicKeyPath /google-cloud-csek-ingress.pem -wrappedKeyPath /test_wrap -wrappingKeyName GooglePublicKey -wrappingAlgo SHA1 -outputFprmat base64 -hash256path/test_Google_hash
The successful execution of the following command displays the wrapped-data file generated containing the Base64 encoded AES256 key. The wrappedData file will be used to create a VM.
Create VM using Wrapped Key
VMs can be created using the Google console or the Google Cloud SDK. This following articles describe the process to create a VM using both the console and SDK. However, the beta version of the CSEK feature includes a console limitation of not being able to start a VM that has been encrypted via CSEK. In this case, use the gcloud utility to start the VM, as described later in this article.
Create VM through Google Console
Log on to the Google Cloud Console. Use the following link to access the console : https://console.cloud.google.com.
Click Go to Compute Engine link.
Click CREATE INSTANCE to create a new virtual machine.
Enter/select the details for the fields as required.
Click the Management, disks, networking, sole tenancy link on the screen.
Click the Disks tab.
Select Encryption as Customer-supplied key.
Copy the contents from the wrappedData file (created in the preceding section) and paste in the Enter key text box.
Select the Wrapped Key check box.
Click Create. The Compute Engine creates the VM instance.
Create VM through Google SDK
The gcloud utility is part of Google Cloud SDK and it provides various commands to perform operations on Google cloud. You can use this tool to create encrypted disk or VM using CSEK and start/stop the VM when needed.
The steps described here are performed on the Windows system and Google Chrome web browser.
Download the Google Cloud SDK, if not already installed on the system, from the URL: https://cloud.google.com/sdk/downloads. If you are not logged into Google account, the command line utility will invoke the Google account login page while running the beta commands.
Provide the encoded keys in a JSON file. A key file can contain multiple keys, allowing you to manage multiple keys in a single place. Alternatively, you can create single key files to handle each key separately. The key file must provide:
The fully-qualified URI to the resource the key protects
The corresponding key
The type of key, either raw or RSA-encrypted
A sample key file is demonstarted as below:
Here,[ { "uri": "https://www.googleapis.com/compute/beta/projects/fluent-archway-167114/zones/us-central1-c/disks/testdisk-1", "key": "PGoJWFEKnvLIFts2UlWLCR/mYgnCr9oOaTNSuD2YlTd0zglc/Nh5OLhngSPVV2AAIsmo8RxHs5Dm2IxAwF9yMZWz5jmqpiNi+SUQxftfUCA3iAs51fg/VrU1ZDJhZXhlh/Ky74IXYrS71FUgb+FupxQg8yHNw9P+jFTmoPpp9nyL9P7eQa4jhbV/n1tQ3lBNEEZ5x7odawHW9YXZFA4/lKFrtgKJ+3uifvVQbvJDRO8has12dL5PAVPaDcOVb84gbxNWHFjDy2KA6PYrpz7DFlMRdS9OFDu3VlPCnYrjTvp/i2TCoaNH9ktUhBMi/naZlIHMoHqYFzu7CxPkaE69bw==", "key-type": "rsa-encrypted" } ]URI is the fully qualified URI to the resource the key protects.
Key is the key bits in Base64 if supplying the RSA-encrypted key type.
Key-type is the type of key supplied. Either raw or RSA-encrypted.
testdisk-1 and us-central1-c in URI is the name of the disk and zone respectively where the disk is to be created.
fluent-archway-167114 is the name of the project.
Replace testdisk-1, us-central1-c, and fluent-archway-167114 as needed.
Save the content of the key file as .json file. For this demonstartion, we have saved the file with name centos-instance1.json.
Use the following command to create an encrypted disk named testdisk-1 using CSEK supplied by the JSON file centos-instance1.json.
gcloud beta compute disks create testdisk-1 --size=10GB --image-family centos-6 --image-project centos-cloud --csek-key-file/centos-instance1.json In this command, the .json file is located in the directory from where the gcloud tool is invoked. If the key file is located in other directory, specify the complete path to the directory.
The Google Chrome browser displays the creation of encrypted disk named testdisk-1.
Create an encrypted VM named test-vm-instance.
gcloud beta compute instances create test-vm-instance --disk name=testdisk-1,boot=yes --csek-key-file/centos-instance1.json Here, testdisk-1 is the encrypted disk and centos-instance1 is the CSEK key file.
The Google Chrome browser displays the creation of VM instance named test-vm-instance and its status as running.
Stop the VM instance named test-vm-instance.
gcloud beta compute instances stop test-vm-instance
The Chrome browser displays the status of VM instance named test-vm-instance as stopped (the check mark no longer reflects against the VM instance).
Restart the VM instance.
gcloud beta compute instances start test-vm-instance --csek-key-file/centos-instance1.json 
The Chrome browser displays the status of VM instance named test-vm-instance as running (the check mark reflects again against the VM instance).
Stopping/deleting does not require the CSEK, other read/write operations, such as starting encrypted VM and snapshot of the encrypted disk require the CSEK used to encrypt the disk. For details regarding other operations on encrypted disk, refer to the Google Cloud documentation.
