Use Customer-Managed Encryption Keys for Filestore Data Encryption

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Filestore console available at https://console.cloud.google.com/filestore/.

04 In the left navigation panel, choose Instances to access the list of Google Cloud Filestore instances provisioned for the selected GCP project.

05 Click on the ID (link) of the Filestore instance that you want to examine. A Filestore instance is a fully-managed, network-attached storage system that you can use with Compute Engine and Kubernetes Engine instances.

06 Select the OVERVIEW tab to view the configuration information available for the selected instance.

07 Check the Encryption attribute value to determine the type of the encryption key used by the selected cloud resource. If the Encryption attribute value is Google-managed, the data stored on the selected Google Cloud Filestore instance is not encrypted at rest using a Cloud KMS Customer-Managed Encryption Key (CMEK).

08 Repeat step no. 5 - 7 for each Filestore instance available within the selected GCP project.

09 Repeat steps no. 2 - 8 for each GCP project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-project-123123
cc-cloudai-project-112233

03 Run filestore instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to list the Google Cloud Filestore instances deployed to the selected project:

gcloud filestore instances list
	--project cc-web-project-123123
	--format="default(name)"

04 The command request should return the requested instance IDs (i.e., fully qualified identifiers):

name: projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance
name: projects/cc-web-project-123123/locations/us-central1-a/instances/cc-web-filestorage-instance

05 Run filestore instances describe command (Windows/macOS/Linux) with the ID of the Filestore instance that you want to examine as the identifier parameter, to describe the full ID of the Customer-Managed Encryption Key (CMEK) used to encrypt your instance data:

gcloud filestore instances describe "projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance"
	--format="json(kmsKeyName)"

06 The command output should return the ID of the requested encryption key:

null

07 Repeat steps no. 5 and 6 for each Filestore instance available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select the key location type from the Location type list, then choose the appropriate key location from the Region/Multi-region dropdown list. The location can be either multi-region or associated with a particular region. If the CMEKs created later within this key ring will be used to encrypt/decrypt data in a particular region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
4. On the Create key setup page, provide the following information:
   1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
   2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
   3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
   4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
   5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
   6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 Navigate to Filestore console available at https://console.cloud.google.com/filestore/.

05 In the left navigation panel, choose Instances to access the list of Filestore instances deployed for the selected GCP project.

06 Click on the ID (link) of the Filestore instance that you want to re-create, select the OVERVIEW tab, and identify the configuration information available for the selected instance.

07 Navigate back to the Instances page, choose CREATE INSTANCE, and perform the following actions to create a new Filestore instance:

1. For Name your instance, provide a unique name for the new instance in the Instance ID box and a short description in the Description (optional) box.
2. For Configure service tier, select the instance type and the necessary storage capacity. Must match the service tier of the source instance, identified at step no. 6.
3. For Choose where to store your data, select the region where to store your data.
4. For Set up connections, configure the networking settings for your instance. Must match the service tier of the source instance.
5. For Protocol, select the required filesharing protocol.
6. For Configure your file share, enter the name of your file share in the File share name box.
7. Choose whether to configure tags and labels for better resource management.
8. Choose Advanced options to access the advanced configuration settings available for the instance:
   1. For Encryption, choose Cloud KMS key under Encryption key options. Select Cloud KMS for Key type, and choose the name of your Cloud KMS Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list. Inside the \ service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the associated service account access to your key using the Cloud KMS CryptoKey Encrypter/Decrypter role.
   2. For Deletion protection, select the Enable deletion protection checkbox to enable the Deletion Protection feature.
9. Choose CREATE to create your new, CMEK-encrypted Filestore instance.

08 Repeat steps no. 6 and 7 for each Filestore instance that you want to re-create, available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

01 Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the keys deployed later within this key ring will be used to encrypt resources in a given region, select that region as the key ring location:

gcloud kms keyrings create cc-project5-key-ring
	--location=us
	--project=cc-web-project-123123
	--format="table(name)"

02 The command output should return the resource name of the newly created key ring:

NAME
projects/cc-web-project-123123/locations/us/keyRings/cc-project5-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created at the previous steps:

gcloud kms keys create cc-filestore-kms-key
	--location=us
	--keyring=cc-project5-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2025-03-20T10:00:00.0000Z
	--format="table(name)"

04 The command output should return the full resource name of the new Customer-Managed Encryption Key:

NAME
projects/cc-web-project-123123/locations/us/keyRings/cc-project5-key-ring/cryptoKeys/cc-filestore-kms-key

05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the required service account:

gcloud kms keys add-iam-policy-binding cc-filestore-kms-key
	--keyring cc-project5-key-ring
	--location us-central1
	--member='serviceAccount:service-<project-number>@cloud-filer.iam.gserviceaccount.com'
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format):

Updated IAM policy for key [cc-filestore-kms-key].
bindings:
- members:
	- serviceAccount:service-<project-number>@cloud-filer.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: ABCD1234ABCD1234
version: 1

07 Run filestore instances describe command (Windows/macOS/Linux) with the ID of the Filestore instance that you want to re-create as the identifier parameter, to identify the configuration information available for the selected instance:

gcloud filestore instances describe "projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance"
	--format="yaml"

08 The command output should return the instance configuration information:

fileShares:
- capacityGb: '1024'
	name: cc_fileshare
name: projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance
networks:
- connectMode: DIRECT_PEERING
	ipAddresses:
	- 10.30.40.100
	modes:
	- MODE_IPV4
	network: cc-project5-network
	reservedIpRange: 10.30.40.150/29
state: READY
tier: ZONAL

09 Run the filestore instances create command (OSX/Linux/UNIX) to create a new, CMEK-encrypted Filestore instance using your own Cloud KMS Customer-Managed Encryption Key (CMEK). For --kms-key command parameter, specify the fully qualified name of the CMEK returned in step no 4:

gcloud filestore instances create cc-new-filestorage-instance
	--tier="zonal"
	--location="us-central1-a"
	--file-share=name="cc_fileshare",capacity=1TiB
	--network=name="cc-project5-network"
	--kms-key="projects/cc-web-project-123123/locations/us/keyRings/cc-project5-key-ring/cryptoKeys/cc-filestore-kms-key"

10 The command output should return the request status:

Create request issued for: [cc-new-filestorage-instance]
Created instance [cc-new-filestorage-instance].

11 Repeat steps no. 7 - 10 for each Filestore instance that you want to re-create, available in the selected GCP project.

12 Repeat steps no. 1 – 11 for each GCP project deployed in your Google Cloud account.