01 Run compute instances describe command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to re-create as identifier parameter (see Audit section part II to identify the right resource), to describe the configuration metadata available for the selected instance:
gcloud compute instances describe cc-production-instance
--zone us-central1-a
02 The command output should return the requested configuration information:
cpuPlatform: Intel Haswell
deletionProtection: false
disks:
- autoDelete: true
boot: true
deviceName: cc-production-instance
diskSizeGb: '150'
guestOsFeatures:
- type: VIRTIO_SCSI_MULTIQUEUE
- type: UEFI_COMPATIBLE
interface: SCSI
kind: compute#attachedDisk
mode: READ_WRITE
source: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-production-instance
type: PERSISTENT
displayDevice:
enableDisplay: false
...
kind: compute#instance
machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
name: cc-production-instance
enableIntegrityMonitoring: true
enableSecureBoot: false
enableVtpm: true
shieldedInstanceIntegrityPolicy:
updateAutoLearnPolicy: true
startRestricted: false
status: RUNNING
tags:
items:
- http-server
- https-server
zone: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a
03 Define the Customer-Supplied Encryption Key (CSEK) that you want to use for your instance disk encryption and save it in a JSON file named csek-key.json. The CSEK definition file contains the fully-qualified URI to the resource that the key protects, the corresponding key, and the type of the key, either raw (non-RSA wrapped) or rsa-encrypted:
[
{
"uri": "https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-encrypted-production-instance",
"key": "abcdabcdabcdabcdbacdbacdbacdbacdbacdbacdbabcd",
"key-type": "raw"
}
]
04 Run compute instances create command (Windows/macOS/Linux) using the configuration information returned at step no. 2 as configuration parameters and the CSEK definition file created at the previous step (csek-key.json), to create a new Google Compute Engine instance with the appropriate encryption configuration. The following command request example creates a virtual machine (VM) instance named "cc-encrypted-production-instance" in the "us-central1-a" zone, using the n1-standard-8 instance type, the "Red Hat Enterprise Linux 8" machine image, and a boot disk of 150GB configured with a raw Customer-Supplied Encryption Key (CSEK) defined within the csek-key.json configuration file:
gcloud compute instances create cc-encrypted-production-instance
--project=cc-web-stack-project-123123
--zone=us-central1-a
--machine-type=n1-standard-8
--image-family=rhel-8
--image-project=rhel-cloud
--boot-disk-size=150GB
--csek-key-file csek-key.json
05 The command output should return the metadata available for the new VM instance:
Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-encrypted-production-instance].
NAME ZONE MACHINE_TYPE INTERNAL_IP EXTERNAL_IP STATUS
cc-encrypted-production-instance us-central1-a n1-standard-8 10.128.0.8 xxx.xxx.xxx.xxx RUNNING
06 Migrate the data from the source (non-compliant) instance to the newly created VM instance (encrypted with CSEK).
07 To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the source instance that you want to delete as identifier parameter, to remove the selected resource from your GCP project:
gcloud compute instances delete cc-production-instance
--zone us-central1-a
08 Press Y at the command prompt to confirm the Google Cloud resource removal:
The following instances will be deleted. Any attached disks configured
to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
for keeping. Deleting a disk is irreversible and any data on the disk
will be lost.
- [cc-production-instance] in [us-central1-a]
Do you want to continue (Y/n)?
09 The command output should return the URL of the deleted virtual machine (VM) instance:
Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].
10 Repeat steps no. 1 – 9 to enable encryption with Customer-Supplied Encryption Keys (CSEKs) for other production VM instances created for the selected project.
11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.