Encryption at Rest in Google Cloud
By default, Google Cloud encrypts all customer data at rest using Google-managed keys. However, for organizations with strict regulatory or security requirements, Google offers two ways to take control of the encryption keys: CMEK and CSEK.
For a Professional Cloud Security Engineer (PSE), knowing when and how to implement these is vital for meeting compliance standards like HIPAA, PCI-DSS, or GDPR.
白話文解釋(Plain English Explanation)
Analogy 1: The Hotel Safe (Default vs CMEK vs CSEK)
Imagine three ways to secure valuables in a hotel:
- Default Google-managed encryption is like the hotel's in-room safe — the hotel issues, rotates, and audits the combination for you. Zero effort, but you trust the hotel completely.
- CMEK is like bringing your own padlock (Cloud KMS key) for the safe. The hotel staff (GCS, BigQuery, Compute Engine service agents) can still open the safe, but only when you grant them the master key — and you can revoke that access any time.
- CSEK is like keeping the only key on your own keychain at home. Every time you want to open the safe, you must walk in and physically present the key. If you lose your keychain, the hotel cannot help you — your valuables are sealed forever.
Analogy 2: The Library Per-Book Lock (CMEK is Per-Resource)
A library that uses CMEK does not lock the whole building with one key. Each bookshelf (a GCS bucket, a BigQuery dataset, a Persistent Disk) gets its own padlock referenced from a central key cabinet (Cloud KMS key ring). If you revoke the key for the "Finance" shelf, only Finance becomes unreadable — the History shelf is still browsable. This is why CMEK is described as per-resource: encryption is bound to the resource at create-time, and rotating or disabling one key never affects unrelated resources.
Analogy 3: The Bonded Courier (CSEK Supplied Per-Request)
CSEK works like a bonded courier service: every single delivery (every API call to GCS or Compute Engine) requires you to present a fresh handwritten authorization slip (the raw 256-bit key in the x-goog-encryption-key header). The courier never keeps a copy of your signature on file — once the delivery completes, the slip is shredded from memory. This is also why CSEK only works on Cloud Storage and Compute Engine: services like BigQuery or Dataflow run long-lived background jobs that cannot pause to ask you for the key on every read.
Customer-Managed Encryption Keys (CMEK)
CMEK uses Cloud KMS keys to protect your data. You manage the keys (rotation, IAM, destruction), but they reside within Google Cloud.
CMEK Workflow:
- Create a Key Ring and a Key in Cloud KMS.
- Grant the Service Agent for the target service (e.g., GCS or BigQuery) the
cloudkms.cryptoKeyEncrypterDecrypterrole. - Configure the resource (bucket, dataset, or disk) to use that KMS key.
Customer-Managed Encryption Keys (CMEK) are keys that you create and manage in Cloud KMS but are used by other Google Cloud services to protect your data.
CMEK is per-resource: the KMS key is bound to a specific GCS bucket, BigQuery table, or Compute Engine disk at create time. You cannot retroactively re-encrypt an existing bucket with a different CMEK key — you must create a new bucket/dataset/disk with the desired key and copy the data over. Plan key assignment before provisioning resources.
Integrating CMEK with Services
Cloud Storage (GCS)
- You can set a default KMS key for a bucket.
- All new objects uploaded to that bucket are automatically encrypted with the CMEK.
BigQuery
- You can specify a CMEK when creating a table or when running a query that outputs results to a new table.
- CMEK protects the data on disk, but not the metadata (like column names).
Compute Engine (GCE)
- CMEK can be used to encrypt Persistent Disks (PD).
- The key is required whenever the disk is attached to a VM or when a snapshot is created.
Customer-Supplied Encryption Keys (CSEK)
CSEK is for the most extreme security requirements. You generate the key material outside of Google Cloud and provide it with each API call.
CSEK Characteristics:
- Google never stores your CSEK key material on disk. It is only kept in memory while your data is being processed.
- If you lose the key, Google cannot recover your data.
- Supported only by Cloud Storage and Compute Engine.
CSEK requires you to manage the key's availability. If your key management system goes down and you cannot provide the key during an API call, you cannot access your data.
A classic exam trap mixes the two models up. Remember: CSEK is supplied per-request (the raw 256-bit key in the x-goog-encryption-key HTTP header on every GCS read/write or in every Compute Engine disk attach call). If you lose the CSEK key, the data is permanently lost — Google has no backup. CMEK is the opposite: Google stores and protects the key in Cloud KMS, so losing access to your IAM identity does not destroy the data, and a destroyed KMS key version can be restored within the 24-hour scheduled-destruction window. Also, CSEK does NOT work with BigQuery, Dataflow, Dataproc, or Pub/Sub — only GCS and Compute Engine. If a question pairs CSEK with BigQuery, it is wrong.
Key Revocation Impact on Data Availability
One of the main reasons to use CMEK or CSEK is the ability to "pull the plug."
- Revoking CMEK: If you disable the KMS key or remove the Service Agent's IAM permissions, the service can no longer decrypt the data. Access is lost within minutes.
- Revoking CSEK: Simply stop providing the key in your API headers.
Service Agent Roles for CMEK
Every Google Cloud service has a Service Agent (a Google-managed service account) that performs actions on your behalf.
- Example: For GCS, the service agent looks like
service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com. - Crucial Step: You must manually grant this agent access to your KMS key. Without this, CMEK integration will fail.
Organization Policies for Enforcing CMEK
To prevent "shadow data" encrypted with Google-managed keys, use Organization Policies:
constraints/gcp.restrictNonCmekServices: Prevents the creation of resources that are not protected by CMEK.constraints/gcp.restrictCmekCryptoKeyProjects: Limits which KMS projects can be used to provide keys.
Comparing CMEK and CSEK Use Cases
| Feature | CMEK | CSEK |
|---|---|---|
| Key Storage | Cloud KMS | On-Premises / External |
| Management Complexity | Medium | Very High |
| GCP Services Support | Most Services | GCS, GCE only |
| Key Rotation | Automated in KMS | Manual only |
| Risk of Data Loss | Low (Google manages KMS) | High (If you lose the key) |
Troubleshooting Encryption Errors
- "Permission Denied" on a CMEK resource: Usually means the Service Agent lost its
Encrypter/Decrypterrole on the KMS key. - "Invalid Key" for CSEK: The raw 256-bit string provided in the header does not match the one used to encrypt the data.
- KMS Key Disabled: The key exists, but its status is
DISABLED. You must re-enable it in the KMS console.
Encryption at Rest by Default vs. Managed Keys
Remember that Default Encryption (Google-managed) is always active. CMEK and CSEK are additional layers of control.
- Default: No management overhead, FIPS 140-2 compliant.
- CMEK: Control over rotation and revocation, audit logs of key usage.
- CSEK: Total control, keys never reside on Google-managed storage.
For 99% of enterprise customers, CMEK is the right balance of security and manageability. Only use CSEK if it is a hard legal requirement.
Encryption model cheat sheet for the PSE exam:
| Property | Default | CMEK | CSEK |
|---|---|---|---|
| Key origin | You create in Cloud KMS | You generate outside GCP | |
| Key storage | Cloud KMS (FIPS 140-2 L3 with HSM) | Never stored — in-memory only | |
| Rotation | Auto (Google) | Automatic via KMS (e.g. 30/90 days) or manual | Manual (re-write objects) |
| Revoke = data inaccessible? | No | Yes — disable KMS key or strip Service Agent IAM | Yes — stop sending the key header |
| Supported services | All | BigQuery, GCS, Compute Engine, Dataflow, Pub/Sub, Composer, Spanner, etc. | GCS and Compute Engine only |
| Per-resource binding | N/A | Yes — bound at create time | Per-request (header) |
| Data loss if you lose the key | N/A | Low (Google manages KMS) | Total — permanent loss |
| Org Policy enforcement | N/A | constraints/gcp.restrictNonCmekServices |
None — handled by your KMS |
Remember the keyword triggers: "rotate every N days" → CMEK with auto-rotation; "key never touches Google disks" → CSEK; "emergency revoke encrypted disks" → disable the KMS key (CMEK).
PSE Exam Scenarios
Scenario 1: Enforcing Compliance
"A company must ensure that all BigQuery datasets created in the Finance folder are encrypted with keys that they can rotate every 30 days. How do you implement this?"
Answer: 1. Create a KMS key with a 30-day automatic rotation schedule. 2. Set an Organization Policy at the Finance folder to require CMEK. 3. Grant the BigQuery Service Agent access to the KMS key.
Scenario 2: Emergency Revocation
"A security breach is detected in a specific project. You need to immediately stop all access to encrypted disks in that project. What is the fastest way?"
Answer: If using CMEK, Disable the KMS key or remove the IAM Encrypter/Decrypter role from the Compute Engine Service Agent.
Summary Checklist
- Explain the role of a Service Agent in CMEK.
- List the two services that support CSEK.
- Contrast key storage locations for CMEK vs. CSEK.
- Identify the Organization Policy used to mandate CMEK.
- Describe the impact of disabling a KMS key on a CMEK-protected resource.