Skip to content

Custom Managed Encryption Key

Overview

The GCP BigQuery connector supports the use of Custom Managed Encryption Keys (CMEK), allowing you to enhance data security by managing your own encryption keys. This feature gives you greater control over the encryption of datasets stored in BigQuery, adding an extra layer of protection beyond default Google-managed keys.

Prerequisites

  • KeyRing and key is created in CMEK.
  • User should have Cloud KMS CryptoKey Decrypter permission on the key.

Configuration Steps

Note

  • Changing the CMEK configuration in the BigQuery connector does not affect previously created secure datasets.
  • Secure datasets retain the original CMEK key they were created with, regardless of any later changes to the configuration.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. Select BigQuery from the list of Connected Applications.

  3. Click on the application name or the icon, then click on Access ManagementADVANCED tab.

  4. To configure the custom encryption key, enter the value in the following field.

    • To enable CMEK encryption for secure view dataset: default_kms_key_name = 'projects/{project-id}/locations/{location}/keyRings/{keyring}/cryptoKeys/{keyname}'

      Note

      Replace {project-id}, {location}, {keyring}, and {keyname} with your actual values.

  5. Click Save to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/bigquery/instance1/vars.connector.bigquery.yml

  3. Add the following properties to set CMEK configuration in secure dataset.

    YAML
    1
2
3
4
    CONNECTOR_BIGQUERY_SECURE_VIEW_DATASET_OPTIONS_CMEK_PROJECT_NAME: "project-xxx"
CONNECTOR_BIGQUERY_SECURE_VIEW_DATASET_OPTIONS_CMEK_LOCATION: "location"
CONNECTOR_BIGQUERY_SECURE_VIEW_DATASET_OPTIONS_CMEK_KEY_RING_NAME: "keyring"
CONNECTOR_BIGQUERY_SECURE_VIEW_DATASET_OPTIONS_CMEK_KEY_NAME: "keyname"

    Note

    Replace project-xxx, location, keyring, and keyname with your actual values.

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select BigQuery.

  3. Click the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab.

  5. Add the following property to the Add New Custom Properties.

    Bash
    1
    secure.view.dataset.options= default_kms_key_name = 'projects/{project-id}/locations/{location}/keyRings/{keyring}/cryptoKeys/{keyname}'

    Note

    Replace {project-id}, {location}, {keyring}, and {keyname} with your actual values.

  6. Click Save to apply the changes.

Comments