Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Customer-Managed Encryption Keys (CMEK) for Cloud Spanner Databases

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Google Cloud Platform (GCP) Cloud Spanner databases are encrypted using customer-managed encryption keys (CMEK) instead of the default Google-managed encryption keys. CMEK provides organizations with greater control over their encryption keys, enabling them to create, rotate, and manage encryption keys through Cloud Key Management Service (Cloud KMS). This ensures compliance with regulatory requirements and enhances data security by giving organizations full ownership and control over their encryption strategy. CMEK supports Cloud KMS software keys, Cloud Hardware Security Module (HSM) keys, and Cloud External Key Manager (Cloud EKM) keys. The encryption keys must be in the same location as the Cloud Spanner instance, and for multi-region or dual-region configurations, multiple regional Cloud KMS keys can be used to protect the database. Once a database is created with a specific encryption configuration, the encryption type cannot be changed unless you back up and restore the database or export and import the data to a new database with CMEK enabled.

Security

By using customer-managed encryption keys (CMEK) for Cloud Spanner databases, organizations gain complete control over their encryption keys and data protection strategy. CMEK enables you to manage key protection levels, locations, rotation schedules, usage permissions, and access controls through Cloud KMS, ensuring that encryption practices align with organizational security policies and compliance requirements. With CMEK, you can define who can access your data by controlling the permissions on your encryption keys, implement custom key rotation policies, and maintain a comprehensive audit trail of all key usage through Cloud Audit Logs. Additionally, CMEK provides the ability to render data inaccessible by disabling or destroying the encryption key, giving organizations an additional layer of control in data breach scenarios, regulatory investigations, or during secure decommissioning processes. CMEK does not impact Cloud Spanner's performance or service level agreement (SLA), making it a seamless security enhancement. Without CMEK, organizations rely entirely on Google's default encryption practices, which may not meet specific compliance frameworks or internal security standards that require customer-controlled encryption key management for sensitive data workloads.

Important: If a Cloud KMS key is deleted, any Cloud Spanner databases encrypted with that key become permanently inaccessible and the data cannot be recovered. If a Cloud KMS key is disabled, Cloud Spanner will immediately make the database inaccessible. If the key remains disabled for more than seven days, Cloud Spanner automatically deletes the database. Key changes can take up to three hours to propagate throughout the system. It is strongly recommended against disabling or destroying only a subset of keys in a multi-region CMEK database, as this can lead to inconsistent database states.

Audit

To determine if your Cloud Spanner databases are encrypted with customer-managed encryption keys (CMEK), perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Spanner console available at https://console.cloud.google.com/spanner.

04 In the Instances page, click on the name of the Cloud Spanner instance that you want to examine.

05 On the instance details page, in the Databases section, locate the database you want to audit.

06 Click on the database name to view its details.

07 On the database details page, in the Configuration section, check the Encryption type field.

08 If the Encryption type field displays Google-managed, the selected Cloud Spanner database is using Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the database configuration is not compliant.

09 If the Encryption type field displays Customer-managed with a Cloud KMS key resource name, the database is properly encrypted with CMEK.

10 Repeat steps no. 5 – 9 for each Cloud Spanner database in the selected instance.

11 Repeat steps no. 4 – 10 for each Cloud Spanner instance in the selected project.

12 Repeat steps no. 2 – 11 for each project available within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
	cc-spanner-project-112233
	cc-database-project-445566

03 Run spanner instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter to list all Cloud Spanner instances in the selected project: 

gcloud spanner instances list
	--project cc-spanner-project-112233
	--format="table(name)"

04 The command output should return the Cloud Spanner instance names: 

NAME
cc-production-instance
cc-development-instance

05 Run spanner databases list command (Windows/macOS/Linux) using the instance name to list all databases in the selected instance: 

gcloud spanner databases list
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format="table(name)"

06 The command output should return the database names: 

NAME
cc-prod-database
cc-analytics-database

07 Run spanner databases describe command (Windows/macOS/Linux) using the name of the database that you want to examine: 

gcloud spanner databases describe cc-prod-database
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format=json

08 The command output should return the database configuration metadata as JSON: 

{
	"createTime": "2026-01-08T00:33:34.392873Z",
	"databaseDialect": "GOOGLE_STANDARD_SQL",
	"earliestVersionTime": "2026-01-08T00:33:34.392873Z",
	"encryptionInfo": [
		{
			"encryptionType": "GOOGLE_DEFAULT_ENCRYPTION"
		}
	],
	"name": "projects/cc-spanner-project-112233/instances/cc-production-instance/databases/cc-prod-database",
	"state": "READY",
	"versionRetentionPeriod": "1h"
}

09 Check the encryptionInfo.encryptionType attribute value in the command output. If encryptionInfo.encryptionType shows GOOGLE_DEFAULT_ENCRYPTION, as shown in the output example above, the selected Cloud Spanner database is encrypted with Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the database configuration is not compliant. If the encryptionInfo.encryptionType attribute shows CUSTOMER_MANAGED_ENCRYPTION and contains a Cloud KMS key resource name encryptionInfo.kmsKeyVersion (e.g., projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME), the database is using CMEK.

10 Repeat steps no. 7 – 9 to verify the encryption configuration for other Cloud Spanner databases in the selected instance.

11 Repeat steps no. 5 – 10 for each Cloud Spanner instance in the selected project.

12 Repeat steps no. 3 – 11 for each project available within your Google Cloud account.

Remediation / Resolution

To enable customer-managed encryption keys (CMEK) for your Google Cloud Spanner databases, you must create a new Cloud Spanner database with CMEK configured, migrate your data from the existing database to the new database, and then delete the old database. Before creating the new database, you must create a Cloud KMS encryption key (or multiple regional keys for multi-region instances) in the same location as your Spanner instance and grant the Cloud Spanner service agent the necessary permissions to use the key. Perform the following operations:

Important: Cloud Spanner does not support modifying the encryption type of an existing database from Google-managed keys to customer-managed encryption keys (CMEK). You must create a new database with CMEK enabled and migrate your data using backup and restore operations or database export and import. Ensure that you have appropriate backup and migration strategies in place before proceeding. The Cloud KMS encryption key must be created in the same location as your Cloud Spanner instance. For multi-region or dual-region instances, you must use multiple regional Cloud KMS keys (one for each region) rather than a multi-region Cloud KMS key. Deleting or disabling the CMEK key will make your Cloud Spanner database inaccessible, and if the key remains disabled for more than seven days, Cloud Spanner will automatically delete the database.

Using GCP Console

1: Create Cloud KMS Encryption Key(s)

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains the Cloud Spanner database you want to reconfigure from the console top navigation bar.

03 Navigate to Spanner console available at https://console.cloud.google.com/spanner and identify the instance configuration (regional, multi-region, or dual-region) and location(s) of your Cloud Spanner instance to determine the required Cloud KMS key location(s).

04 Navigate to Key Management console available at https://console.cloud.google.com/security/kms.

05 If you don't have an existing key ring in the same location as your Cloud Spanner instance, click Create key ring and perform the following:

  1. For Key ring name, provide a unique name for the key ring (e.g., cc-spanner-keyring).
  2. For Location type, select Region (regional Cloud KMS keys are required for Cloud Spanner, even for multi-region instances).
  3. For Region, select a region that matches one of the regions in your Cloud Spanner instance configuration (e.g., us-central1).
  4. Click Create to create the key ring.

06 If your Cloud Spanner instance uses a multi-region or dual-region configuration, repeat step no. 5 to create additional key rings in each region required by your instance configuration.

07 Select the key ring you created in the first region.

08 Click Create key and perform the following operations:

  1. For Key name, provide a unique name for the encryption key (e.g., cc-spanner-cmek-key-us-central1).
  2. For Protection level, select Software, HSM, or External based on your security requirements.
  3. For Key material, ensure Generated key is selected.
  4. For Purpose, select Symmetric encrypt/decrypt.
  5. (Optional) Configure Rotation period to automatically rotate the key at specified intervals.
  6. Click Create to create the encryption key.

09 If you created multiple key rings for a multi-region or dual-region instance, repeat steps no. 7 – 8 for each key ring to create a Cloud KMS key in each required region.

Step 2: Grant Cloud Spanner Service Agent Permissions

10 In the Google Cloud Console, click on Activate Cloud Shell icon in the top-right corner to open Cloud Shell.

11 Run the following command to create or display the Cloud Spanner service agent identity: 

gcloud beta services identity create --service=spanner.googleapis.com --project=cc-spanner-project-112233

12 The command output will return the service agent email address: 

Service identity created: service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com

13 Run the following command to grant the service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on your first encryption key: 

gcloud kms keys add-iam-policy-binding cc-spanner-cmek-key-us-central1 --location us-central1 --keyring cc-spanner-keyring --project=cc-spanner-project-112233 --member serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

14 The command output will confirm the IAM policy binding: 

Updated IAM policy for key [cc-spanner-cmek-key-us-central1].
bindings:
- members:
	- serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter

15 If you created multiple Cloud KMS keys for a multi-region or dual-region instance, repeat step no. 13 for each key to grant the service agent permissions on all keys.

Step 3: Create a New Cloud Spanner Database with CMEK

16 Navigate to Spanner console available at https://console.cloud.google.com/spanner.

17 Click on the name of the Cloud Spanner instance where you want to create the new CMEK-encrypted database.

18 Click Create database to begin creating a new database.

19 On the Create a database page, provide the following information:

  1. For Database name, provide a unique identifier for the new database (e.g., cc-prod-database-cmek).
  2. For Database dialect, select the appropriate dialect (Google Standard SQL or PostgreSQL) to match your existing database.
  3. (Optional) Configure Schema if you want to define the database schema during creation.

20 >Expand the Show encryption options section and perform the following:

  1. Select Customer-managed key.
  2. If your instance is a regional instance, click the Select a key dropdown and choose the Cloud KMS encryption key you created earlier.
  3. If your instance is a multi-region or dual-region instance, you will see input fields for multiple keys. For each region, select or enter the appropriate Cloud KMS key resource name in the format: projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING/cryptoKeys/KEY_NAME.

21 Click Create to create the new Cloud Spanner database with CMEK encryption enabled.

22 Wait for the database creation to complete. The database state will change to Ready when it's available.

Step 4: Migrate Data and Remove Old Database

23 Migrate your data from the old Cloud Spanner database (encrypted with Google-managed keys) to the new database (encrypted with CMEK) using one of the following methods:

  1. Backup and Restore: Create a backup of the old database and restore it to the new database.
  2. Export and Import: Export data from the old database using Cloud Dataflow or other export tools and import it into the new database.
  3. Application-level Migration: Use your application logic to read data from the old database and write it to the new database.

24 After verifying that all data has been successfully migrated and the new database is functioning correctly, update your applications to use the new CMEK-encrypted database.

25 Once you have confirmed the migration is successful and all applications are using the new database, you can delete the old database that uses Google-managed encryption.

26 Repeat steps no. 15 – 24 for other Cloud Spanner databases that are encrypted with Google-managed keys.

27 Repeat steps no. 2 – 26 for each project available within your Google Cloud account.

Using GCP CLI

Step 1: Create Cloud KMS Encryption Key(s)

01 Run spanner instances describe command (Windows/macOS/Linux) to identify the configuration and location(s) of your Cloud Spanner instance (see Audit section part II to identify the instance): 

gcloud spanner instances describe cc-production-instance
	--project cc-spanner-project-112233
	--format="value(config)"

02 The command output should return the instance configuration name: 

projects/cc-spanner-project-112233/instanceConfigs/regional-us-central1

03 Based on the instance configuration, determine the required Cloud KMS key region(s). For regional instances, use one key in the same region. For multi-region or dual-region instances, you need multiple regional keys.

04 Run kms keyrings create command (Windows/macOS/Linux) to create a new key ring in the first required region: 

gcloud kms keyrings create cc-spanner-keyring
	--location us-central1
	--project cc-spanner-project-112233

05 Run kms keys create command (Windows/macOS/Linux) to create a new symmetric encryption key in the key ring: 

gcloud kms keys create cc-spanner-cmek-key-us-central1
	--keyring cc-spanner-keyring
	--location us-central1
	--purpose encryption
	--protection-level software
	--project cc-spanner-project-112233

06 If your Cloud Spanner instance uses a multi-region or dual-region configuration, repeat steps no. 4 – 6 to create additional key rings and keys in each required region (e.g., us-east1, us-west1 for a multi-region instance).

Step 2: Grant Cloud Spanner Service Agent Permissions

07 Run beta services identity create command (Windows/macOS/Linux) to create or display the Cloud Spanner service agent identity: 

gcloud beta services identity create
	--service=spanner.googleapis.com
	--project=cc-spanner-project-112233

08 The command output should return the service agent email address: 

Service identity created: service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com

09 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to grant the Cloud Spanner service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on the first key: 

gcloud kms keys add-iam-policy-binding cc-spanner-cmek-key-us-central1
	--location us-central1
	--keyring cc-spanner-keyring
	--project=cc-spanner-project-112233
	--member serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

10 The command output should confirm the IAM policy binding: 

Updated IAM policy for key [cc-spanner-cmek-key-us-central1].
bindings:
- members:
	- serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter

11 If you created multiple Cloud KMS keys for a multi-region or dual-region instance, repeat step no. 9 for each key to grant permissions on all keys.

Step 3: Create a New Cloud Spanner Database with CMEK

12 For a regional instance with a single Cloud KMS key, run spanner databases create command (Windows/macOS/Linux) to create a new database with CMEK encryption enabled: 

gcloud spanner databases create cc-prod-database-cmek
	--instance cc-production-instance
	--kms-keys=projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-cmek-key-us-central1
	--project cc-spanner-project-112233

13 For a multi-region or dual-region instance with multiple Cloud KMS keys, provide a comma-separated list of key resource names: 

gcloud spanner databases create cc-prod-database-cmek
	--instance cc-multiregion-instance
	--kms-keys=projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-cmek-key-us-central1,projects/cc-spanner-project-112233/locations/us-east1/keyRings/cc-spanner-keyring-east/cryptoKeys/cc-spanner-cmek-key-us-east1,projects/cc-spanner-project-112233/locations/us-west1/keyRings/cc-spanner-keyring-west/cryptoKeys/cc-spanner-cmek-key-us-west1
	--project cc-spanner-project-112233

14 The command output should confirm the database creation operation: 

Creating database...done.

15 Run spanner databases describe command (Windows/macOS/Linux) to verify that CMEK is enabled for the new database: 

gcloud spanner databases describe cc-prod-database-cmek
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format="json(encryptionConfig)"

16 The command output should confirm that CMEK is enabled: 

{
	"encryptionConfig": {
		"kmsKeyName": "projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-cmek-key-us-central1"
	}
}

Step 4: Migrate Data and Remove Old Database

17 Migrate your data from the old Cloud Spanner database to the new CMEK-encrypted database using backup and restore operations, export and import processes, or application-level data migration tools.

18 After verifying the data migration and confirming that applications are successfully using the new database, delete the old database that uses Google-managed encryption.

19 Repeat steps no. 1 – 18 for other Cloud Spanner databases that are encrypted with Google-managed keys.

20 Repeat steps no. 1 – 19 for each project available within your Google Cloud account.

References

Publication date Jan 14, 2026

Related CloudSpanner rules