Volume encryption for GCP
You can encrypt disks in GCP using the following methods:
Encryption by default (PMK or Google Managed Key)
Customer Managed Encryption Key (CMEK) using Google Cloud KMS
For more information on GCP encryption, see 'Encryption' section of the Google Cloud documentation.
Table: Encryption for creating snapshots
Disk encryption | Snapshot encryption |
|---|---|
Platform Managed Key (PMK) | Same PMK is used as the source disk. |
CMK/CMEK | Same CMEK is used as the source disk. |
Table: Encryption for restoring snapshots
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the snapshot. |
CMK/CMEK | Same CMEK is used as the snapshot, if the target restore location is within the scope of the key. |
Table: Encryption for restoring from backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the source disk. |
CMK/CMEK | Same CMEK is used as the source disk. |
Note:
For successful restoration, the target restore location must be inside the scope of the key during restoration. Refer to the following article for the required permissions in the Google Cloud Knowledge Base article:
'Encryption of Google Compute Engine disks with KMS Key fails due to permission error'
Table: Encryption during VM restore from snapshot or backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
CMK/CMEK | Encryption on disk can be PMK/CMK as per user selection during restore. |