Enable VM Disk Encryption with Customer-Supplied Encryption Keys

Risk Level: High (not acceptable risk)

Rule ID: ComputeEngine-007

Ensure that the disks attached to your production Google Compute Engine instances are encrypted with Customer-Supplied Encryption Keys (CSEKs) in order to have complete control over the data-at-rest encryption and decryption process, and meet strict compliance requirements.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

By default, Compute Engine service encrypts all data at rest. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage instance disk encryption, you can provide your own encryption keys. These custom keys, also known as Customer-Supplied Encryption Keys (CSEKs), are used by Google Compute Engine to protect the Google-generated keys used to encrypt and decrypt your instance data. Compute Engine service does not store your CSEKs on its servers and cannot access your protected data unless you provide the required key.

Audit

To determine if your virtual machine (VM) instance disks are encrypted with CSEK, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the production VM instance that you want to examine.

06 Select the Details tab to access the configuration details available for selected instance.

07 In the Boot disk and Additional disks sections, check the encryption type available in the Encryption column for each disk attached to the instance. If the verified disk does not have the Encryption type set to Customer supplied, the data on the selected disk is not encrypted with a Customer-Supplied Encryption Key (CSEK), therefore not all disks attached to your production Google Compute Engine instance are encrypted with CSEKs.

08 Repeat step no. 5 – 7 for each virtual machine (VM) instance created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-production-instance    us-central1-a
cc-development-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and zone of the instance that you want to examine as identifier parameter and custom filtering to list the name of each disk (boot or non-boot) attached to the selected instance:

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="table(disks.deviceName)"

06 The command output should return the name(s) of the disk device(s):

DEVICE_NAME
['cc-production-instance-boot-disk', 'cc-production-instance-data-disk']

07 Run compute disks describe command (Windows/macOS/Linux) using the name of the VM instance disk that you want to examine as identifier parameter and custom query filters to describe the encryption key and type for the selected disk:

gcloud compute disks describe cc-production-instance-boot-disk
	--zone us-central1-a
	--format="json(diskEncryptionKey)"

08 The command output should return the requested encryption key details:

{
  "diskEncryptionKey": {
    "sha256": "abcdabcdabcdabcdbacdbacdbacdbacdbacdbacdbabcd"
  }
}

If compute disks describe command output does not return a disk encryption key with the type set to "sha256", as shown in the example above, the data available on the selected disk is not encrypted with a Customer-Supplied Encryption Key (CSEK).

09 Repeat step no. 7 and 8 for each disk attached to the selected virtual machine (VM) instance.

10 Repeat steps no. 5 – 9 for each virtual machine instance provisioned for the selected project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable encryption with Customer-Supplied Encryption Keys (CSEKs) for all the disks attached to your business critical Google Compute Engine instances, you have to re-create those instances with the appropriate encryption configuration. To relaunch your VM instances, perform the following actions:

Note: You are responsible for generating and managing your Customer-Supplied Encryption Key (CSEK). You must provide a CSEK that is a 256-bit string encoded in RFC 4648 standard base64 to Google Compute Engine service.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Choose the virtual machine (VM) instance that you want to re-create (see Audit section part I to identify the right resource).

06 Select the Details tab and note all the necessary configuration details available for selected instance.

07 Go back to the navigation panel, select VM instances, then click CREATE INSTANCE to initiate the VM instance setup process.

08 On the Create an instance page, perform the following:

Provide a unique name for the new instance in the Name box.
Click on Management, security, disks, networking, sole tenancy, select the Disks tab, then perform the following commands to enable disk encryption using your own Customer-Supplied Encryption Key (CSEK):
- In the Boot disk section, under Encryption, select Customer-supplied key option, paste your Customer-Supplied Encryption Key (CSEK) in the Enter key text box, and select Wrapped key to wrap your key with the Compute Engine public key.
- If the source (non-compliant) VM instance has additional data disks attached, click Add new disk, under Additional disks. On the New disk panel, under Encryption, select Customer-supplied key, paste your own Customer-Supplied Encryption Key (CSEK) in the Enter key text box, and select Wrapped key. Configure the additional disk settings based on the configuration details copied at step no. 6.
Configure the rest of the instance settings based on the configuration information taken at step no. 6.
Click Create to launch your new VM instance.

09 Migrate the data from the source (non-compliant) instance to the newly created VM instance (encrypted with CSEK).

10 To avoid extra charges on your Google Cloud monthly bill, you can remove the source instance from your GCP project. To remove the required instance, perform the following:

In the navigation panel, select VM instances.
Choose the VM instance that you want to remove, then click on the 3-dot button for instance menu options and select Delete to initiate the removal process.
Within the Delete an instance confirmation box, select DELETE to confirm the action and remove the selected instance from your project.

11 Repeat steps no. 5 – 10 to enable encryption with Customer-Supplied Encryption Keys (CSEKs) for other production VM instances created for the selected project.

12 Repeat steps no. 2 – 11 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances describe command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to re-create as identifier parameter (see Audit section part II to identify the right resource), to describe the configuration metadata available for the selected instance:

gcloud compute instances describe cc-production-instance
	--zone us-central1-a

02 The command output should return the requested configuration information:

cpuPlatform: Intel Haswell
deletionProtection: false
disks:
- autoDelete: true
  boot: true
  deviceName: cc-production-instance
  diskSizeGb: '150'
  guestOsFeatures:
  - type: VIRTIO_SCSI_MULTIQUEUE
  - type: UEFI_COMPATIBLE
  interface: SCSI
  kind: compute#attachedDisk
  mode: READ_WRITE
  source: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-production-instance
  type: PERSISTENT
displayDevice:
  enableDisplay: false

...

kind: compute#instance
machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
name: cc-production-instance
  enableIntegrityMonitoring: true
  enableSecureBoot: false
  enableVtpm: true
shieldedInstanceIntegrityPolicy:
  updateAutoLearnPolicy: true
startRestricted: false
status: RUNNING
tags:
  items:
  - http-server
  - https-server
zone: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

03 Define the Customer-Supplied Encryption Key (CSEK) that you want to use for your instance disk encryption and save it in a JSON file named csek-key.json. The CSEK definition file contains the fully-qualified URI to the resource that the key protects, the corresponding key, and the type of the key, either raw (non-RSA wrapped) or rsa-encrypted:

[
    {
      "uri": "https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-encrypted-production-instance",
      "key": "abcdabcdabcdabcdbacdbacdbacdbacdbacdbacdbabcd",
      "key-type": "raw"
    }
]

04 Run compute instances create command (Windows/macOS/Linux) using the configuration information returned at step no. 2 as configuration parameters and the CSEK definition file created at the previous step (csek-key.json), to create a new Google Compute Engine instance with the appropriate encryption configuration. The following command request example creates a virtual machine (VM) instance named "cc-encrypted-production-instance" in the "us-central1-a" zone, using the n1-standard-8 instance type, the "Red Hat Enterprise Linux 8" machine image, and a boot disk of 150GB configured with a raw Customer-Supplied Encryption Key (CSEK) defined within the csek-key.json configuration file:

gcloud compute instances create cc-encrypted-production-instance
	--project=cc-web-stack-project-123123
	--zone=us-central1-a
	--machine-type=n1-standard-8
	--image-family=rhel-8
	--image-project=rhel-cloud
	--boot-disk-size=150GB
	--csek-key-file csek-key.json

05 The command output should return the metadata available for the new VM instance:

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-encrypted-production-instance].

NAME                              ZONE           MACHINE_TYPE   INTERNAL_IP  EXTERNAL_IP      STATUS
cc-encrypted-production-instance  us-central1-a  n1-standard-8  10.128.0.8   xxx.xxx.xxx.xxx  RUNNING

06 Migrate the data from the source (non-compliant) instance to the newly created VM instance (encrypted with CSEK).

07 To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the source instance that you want to delete as identifier parameter, to remove the selected resource from your GCP project:

gcloud compute instances delete cc-production-instance
	--zone us-central1-a

08 Press Y at the command prompt to confirm the Google Cloud resource removal:

The following instances will be deleted. Any attached disks configured
 to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
 for keeping. Deleting a disk is irreversible and any data on the disk
 will be lost.
 - [cc-production-instance] in [us-central1-a]
Do you want to continue (Y/n)?

09 The command output should return the URL of the deleted virtual machine (VM) instance:

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

10 Repeat steps no. 1 – 9 to enable encryption with Customer-Supplied Encryption Keys (CSEKs) for other production VM instances created for the selected project.

11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Encrypt disks with customer-supplied encryption keys
Using customer-supplied encryption keys

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute disks describe
gcloud compute instances create
gcloud compute instances delete

Publication date Apr 12, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable VM Disk Encryption with Customer-Supplied Encryption Keys

Risk Level: High

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules