01 Before you can set up and manage your Customer-Managed Keys (CMKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the CMKs created later within this key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location:
gcloud kms keyrings create cc-cloud-sql-key-ring
--location=us
--project=cc-mobile-project-123123
--format="table(name)"
02 The command output should return the identifier (name) of the newly created key ring:
NAME
projects/cc-mobile-project-123123/locations/us/keyRings/cc-cloud-sql-key-ring
03 Run kms keys create command (Windows/macOS/Linux) to create a new Cloud KMS Customer-Managed Key (CMK) within the KMS key ring created at the previous steps:
gcloud kms keys create cc-cloud-sql-db-cmk
--location=us-central1
--keyring=cc-cloud-sql-key-ring
--purpose=encryption
--protection-level=software
--rotation-period=90d
--next-rotation-time=2020-7-15T20:00:00.0000Z
--format="table(name)"
04 The command output should return the name of the new Customer-Managed Key (CMK):
NAME
projects/cc-mobile-project-123123/locations/us-central1/keyRings/cc-cloud-sql-key-ring/cryptoKeys/cc-cloud-sql-db-cmk
05 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS "CryptoKey Encrypter/Decrypter" role to the necessary service account. Replace <kms-project-id>
with the ID of the Google Cloud project where the Customer-Managed Keys are provisioned, and replace <project-number>
with the project number (not the project ID) of the Google Cloud project that is running your Cloud SQL database instances:
gcloud projects add-iam-policy-binding <kms-project-id>
--member serviceAccount:service-<project-number>
@gcp-sa-cloud-sql.iam.gserviceaccount.com
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
06 The command output should return the updated IAM policy (YAML format):
Updated IAM policy for project <kms-project-id>.
bindings:
- members:
- serviceAccount:service-<project-number>@gcp-sa-cloud-sql.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- members:
- serviceAccount:service-<project-number>@compute-system.iam.gserviceaccount.com
- user:admin@cloudconformity.com
role: roles/owner
etag: abcdabcdabcd
version: 1
07 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to re-create as identifier parameter and custom query filters to describe the configuration metadata available for the selected database instance:
gcloud sql instances describe cc-mobile-db-instance
--format=json
08 The command output should return the requested configuration metadata:
{
"backendType": "SECOND_GEN",
"databaseVersion": "MYSQL_5_7",
"gceZone": "us-central1-a",
"instanceType": "CLOUD_SQL_INSTANCE",
"kind": "sql#instance",
"name": "cc-mobile-db-instance",
"project": "cc-mobile-project-123123",
"region": "us-central1",
"serviceAccountEmailAddress": "service-<project-number>@gcp-sa-cloud-sql.iam.gserviceaccount.com",
"settings": {
"activationPolicy": "ALWAYS",
"availabilityType": "ZONAL",
...
"dataDiskSizeGb": "100",
"dataDiskType": "PD_SSD",
"ipConfiguration": {
"ipv4Enabled": true
},
"locationPreference": {
"kind": "sql#locationPreference",
"zone": "us-central1-a"
},
"pricingPlan": "PER_USE",
"replicationType": "SYNCHRONOUS",
"tier": "db-n1-standard"
},
"state": "RUNNABLE"
}
09 Run sql instances create command (Windows/macOS/Linux) using the information returned at the previous step as configuration data for the command parameters, to create a new Google Cloud SQL database instance, encrypted with the Customer-Managed Key (CMK) created at step no. 3:
gcloud sql instances create cc-encrypted-mobile-db-instance
--project=cc-mobile-project-123123
--database-version=MYSQL_5_7
--tier=db-n1-standard-1
--storage-size=100
--storage-type=SSD
--zone=us-central1-a
--availability-type=ZONAL
--assign-ip
--require-ssl
--root-password=xxxxxxxxxx
--disk-encryption-key=projects/cc-mobile-project-123123/locations/us-central1/keyRings/cc-cloud-sql-key-ring/cryptoKeys/cc-cloud-sql-db-cmk
10 Press Y at the command prompt to confirm the terms and conditions:
You are creating a Cloud SQL instance encrypted with a customer-managed key. If anyone destroys a customer-managed key, all data encrypted with it will be permanently lost.
Do you want to continue (Y/n)?
11 The command output should return the metadata for the newly created database instance:
Creating Cloud SQL instance...done.
Created [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-mobile-project-123123/instances/cc-encrypted-mobile-db-instance].
NAME LOCATION TIER PRIMARY_ADDRESS STATUS
cc-encrypted-mobile-db-instance us-central1-a db-n1-standard xxx.xxx.xxx.xxx RUNNABLE
12 Put your source (unencrypted) database instance into read-only mode by setting the "read_only" database flag to On. Check this rule to see how MySQL database flags are configured.
13 Export the source instance data to an SQL dump file and import that data to the newly created (target) instance.
14 Update the associated application(s) to connect to the new database instance.
15 Once the new database is operating successfully, you can remove the source instance in order to stop adding charges to your Google Cloud bill. Run sql instances delete command (Windows/macOS/Linux) using the ID of the MySQL database instance that you want to remove as identifier parameters (see Audit section part II to identify the right resource), to delete the specified database instance:
gcloud sql instances delete cc-mobile-db-instance
16 Type Y to confirm the resource removal. All data, including backups, is permanently lost when that instance is deleted, therefore make sure that your data has been successfully exported to the new database instance before removal:
All of the instance data will be lost when the instance is deleted.
Do you want to continue (Y/n)? Y
17 The output should return the sql instances delete command request status:
Deleting Cloud SQL instance...done.
Deleted [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-mobile-project-123123/instances/cc-mobile-db-instance].
18 Repeat steps no. 7 – 17 to enable encryption at rest with Customer-Managed Keys (CMKs) for other Cloud SQL database instances provisioned in the selected project.
19 Repeat steps no. 1 – 18 for each GCP project deployed in your Google Cloud account.