Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Encryption Keys for Secret Manager Secret Encryption

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SecretManager-004

Ensure that your Google Cloud Secret Manager secrets are encrypted using Cloud KMS Customer-Managed Encryption Keys (CMEKs) in order to have a more granular control over your secret data encryption process and meet compliance requirements.

Security

A Secret Manager secret is a wrapper around a collection of secret data versions. By default, secrets stored in Secret Manager are encrypted with Google-managed encryption keys. The Secret Manager service manages this type of encryption without any additional actions from you and your cloud application. However, if you want to fully control and manage Google Cloud secret encryption yourself, you can use your own Customer-Managed Encryption Key (CMEK). To create and manage your own Customer-Managed Encryption Keys use Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.

As an example, this rule demonstrates how to implement Customer-Managed Encryption Keys (CMEKs) for Secret Manager secrets that are configured via an automatic replication policy.

Audit

To determine if your Secret Manager secrets are encrypted using Customer-Managed Encryption Keys, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

  4. Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

  5. Click on the name (link) of the secret that you want to examine, listed in the Name column.

  6. Select the OVERVIEW tab and check the Encryption configuration attribute value. If the Encryption value is set to Google-managed, the selected Secret Manager secret is not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

  7. Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

  8. Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

    gcloud projects list
	--format="value(projectId)"

  2. The command output should return the requested GCP project identifiers (IDs):

    cc-project5-123123
cc-ai-project-123123

  3. Run secrets list command (Windows/macOS/Linux) with the name of the Google Cloud project that you want to examine as the identifier parameter and custom output filters to describe the name of each Secret Manager secret created for the selected project:

    gcloud secrets list
	--project cc-project5-123123
	--format="value(name)"

  4. The command output should return the names of the secrets available within the selected GCP project:

    cc-project5-api-key
cc-project5-db-access

  5. Run secrets describe command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to examine as the identifier parameter and custom output filters to describe the encryption key configured for the selected secret:

    gcloud secrets describe cc-project5-api-key
	--format="value(replication.automatic.customerManagedEncryption.kmsKeyName)"

  6. The command output should return the requested encryption key information:

    projects/cc-project5-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-cmek

    If the secrets describe command output does not return a Customer-Managed Encryption Key similar to the one returned in the output example above, the selected Secret Manager secret is not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

  7. Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

  8. Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable encryption with Cloud KMS Customer-Managed Encryption Keys (CMEKs) for your Secret Manager secrets, perform the following operations:

Updating the CMEK configuration only applies to new secret versions. Existing secret versions are not re-encrypted.

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar (must match the project that holds your Secret Manager secrets).

  3. To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

    1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
    2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
    3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select Region from the Location type list, then choose the appropriate key location from the Region dropdown list. Choose CREATE to deploy the new key ring.
    4. On the Create key setup page, provide the following information:
      1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
      2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
      3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
      4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
      5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
      6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

  4. Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

  5. Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

  6. Click on the name (link) of the secret that you want to configure, listed in the Name column.

  7. Choose EDIT SECRET from the resource top-menu to change the secret configuration.

  8. Select Customer-managed encryption key (CMEK) from the Encryption section, click inside the Encryption key dropdown box, select the name of the CMEK created earlier in the Remediation process, and choose OK. Inside the The \<service-account-email\> service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the associated service account access to your key using the Cloud KMS CryptoKey Encrypter/Decrypter role. Choose UPDATE SECRET to apply the configuration changes. Choose UPDATE to confirm the changes.

  9. Repeat steps no. 6 – 8 for each Secret Manager secret that you want to configure, available within the selected Google Cloud Platform (GCP) project.

  10. Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

  1. Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring. For secrets configured with an automatic replication policy, your key ring key must be located in the global KMS region (multi-region):

    gcloud kms keyrings create cc-project5-key-ring
	--location=global
	--project=cc-project5-123123
	--format="table(name)"

  2. The command output should return the resource name of the newly created key ring:

    NAME: projects/cc-project5-123123/locations/global/keyRings/cc-project5-key-ring

  3. Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created in the previous steps. For secrets configured with an automatic replication policy, your new encryption key must be created in the global KMS region:

    gcloud kms keys create cc-project5-cmek
	--location=global
	--keyring=cc-project5-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2025-09-15T10:00:00.0000Z
	--format="table(name)"

  4. The command output should return the full resource name of the new Customer-Managed Encryption Key:

    NAME: projects/cc-project5-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-cmek

  5. Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to add the required IAM policy binding to your new CMEK. This assigns the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated service account (i.e., service-\<project-number\>@gcp-sa-secretmanager.iam.gserviceaccount.com). Replace \<project-number\> with your Google Cloud Platform (GCP) project number:

    gcloud kms keys add-iam-policy-binding cc-project5-cmek
	--location "global"
	--member "serviceAccount:service-<project-number>@gcp-sa-secretmanager.iam.gserviceaccount.com"
	--role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
	--project "cc-project5-123123"

  6. The command output should return the updated IAM policy (YAML format):

    Updated IAM policy for key [cc-project5-cmek].
    bindings:
    - members:
    - serviceAccount:service-<project-number>@gcp-sa-secretmanager.iam.gserviceaccount.com
    role: roles/cloudkms.cryptoKeyEncrypterDecrypter
    etag: abcdabcdabcd
    version: 1

  7. To enable encryption with Cloud KMS Customer-Managed Encryption Keys (CMEKs) for your Secret Manager secrets you have to re-create your secrets using the right encryption configuration. Run secrets versions list command (Windows/macOS/Linux) with the name of the secret that you want to re-create as the identifier parameter, to list all versions available for the selected secret:

    gcloud secrets versions list cc-project5-api-key
	--format="table(name)"

  8. The command output should return the number of each version created for the selected secret:

    NAME
1

  9. Run secrets versions access command (Windows/macOS/Linux) with the number of the secret version that you want to access as the identifier parameter, to describe the payload (i.e., secret data) of the selected secret version:

    gcloud secrets versions access 1
	--secret=cc-project5-api-key
	--format="value(payload.data)"

  10. The command output should return the secret data (payload). Save this secret data to a text file named cc-secret-data.txt:

    abcd1234abcd1234

  11. Run secrets create command (Windows/macOS/Linux) to create a new Secret Manager secret using the information (payload) returned in the previous step as secret data (i.e., cc-secret-data.txt). Use the --kms-key-name command parameter to specify the Cloud KMS Customer-Managed Encryption Key (CMEK) that you want to use for secret data encryption:

    gcloud secrets create cc-project5-new-api-key
	--project "cc-project5-123123"
	--replication-policy "automatic"
	--kms-key-name "projects/cc-project5-123123/locations/global/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-cmek"
	--data-file=cc-secret-data.txt

  12. The command output should return the name of the new Secret Manager secret. From now on, each time a secret version is created in this secret, the secret version's payload is automatically encrypted using the specified CMEK before being written to persistent storage, as long as the service account has access to the CMEK resource:

    Created version [1] of the secret [cc-project5-new-api-key].

  13. Repeat steps no. 7 – 12 for each Secret Manager secret that you want to configure, available in the selected Google Cloud Platform (GCP) project.

  14. Repeat steps no. 1 – 13 for each GCP project deployed in your Google Cloud account.

References

Publication date Aug 8, 2025

Related SecretManager rules