Ensure that the disks attached to your production Google Compute Engine instances are encrypted with Customer-Supplied Encryption Keys (CSEKs) in order to have complete control over the data-at-rest encryption and decryption process, and meet strict compliance requirements.
By default, Compute Engine service encrypts all data at rest. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage instance disk encryption, you can provide your own encryption keys. These custom keys, also known as Customer-Supplied Encryption Keys (CSEKs), are used by Google Compute Engine to protect the Google-generated keys used to encrypt and decrypt your instance data. Compute Engine service does not store your CSEKs on its servers and cannot access your protected data unless you provide the required key.
To determine if your virtual machine (VM) instance disks are encrypted with CSEK, perform the following actions:
Remediation / Resolution
To enable encryption with Customer-Supplied Encryption Keys (CSEKs) for all the disks attached to your business critical Google Compute Engine instances, you have to re-create those instances with the appropriate encryption configuration. To relaunch your VM instances, perform the following actions:Note: You are responsible for generating and managing your Customer-Supplied Encryption Key (CSEK). You must provide a CSEK that is a 256-bit string encoded in RFC 4648 standard base64 to Google Compute Engine service.
- Google Cloud Platform (GCP) Documentation
- Encrypt disks with customer-supplied encryption keys
- Using customer-supplied encryption keys
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable VM Disk Encryption with Customer-Supplied Encryption Keys
Risk level: High