Skip to content

Discovery Advanced Configuration

GCP Support for CMEK in K8S Storage, GCP Storage Buckets, and Pub/Sub Topics

Privacera supports encrypted storage in Kubernetes (K8s) using the following variables:

Bash
1
2
K8S_PV_KEY: "Cloud Specific Encryption Key"
K8S_PV_ENCRYPTED: "true"

Discovery operations also utilize Google Cloud Storage and Pub/Sub. Google Cloud supports Customer Managed Encryption Keys (CMEK) for encrypting data at rest. To use CMEK with GCP Storage Buckets and Pub/Sub Topics, you need to configure the following variables in the vars.kubernetes.storage.yml file:

Steps to Configure CMEK in K8s for GCP

Copy the vars.kubernetes.storage.yml file from the sample variables directory to your custom variables directory:

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kubernetes.storage.yml config/custom-vars/
vi config/custom-vars/vars.kubernetes.storage.yml

Add or update the following variables:

Bash
1
2
3
4
5
6
7
# If the storage is encrypted, uncomment and update the properties with key details
K8S_PV_ENCRYPTED: "true"
# For GCP, provide the CMEK key name in the format:
# projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>
K8S_PV_KEY: "<PLEASE_CHANGE>"
# Uncomment this variable to use the GCP storage provisioner supporting CMEK
K8S_STORAGE_PROVISIONER: "pd.csi.storage.gke.io"

Configure CMEK for GCP Storage Buckets and Pub/Sub Topics

By default, Discovery uses K8S_PV_KEY to encrypt data at rest in GCP Storage Buckets and Pub/Sub Topics. If you want to use different keys for these services, modify the vars.discovery.gcp.yml file:

Copy the vars.discovery.gcp.yml file from the sample variables directory to your custom variables directory:

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.gcp.yml config/custom-vars/
vi config/custom-vars/vars.discovery.gcp.yml

Add or update the following variables:

Bash
1
2
3
# Support for Google CMEK in GCS storage and Pub/Sub topic creation
DISCOVERY_GCP_BUCKET_CMEK_KEY: "{{K8S_PV_KEY}}"
DISCOVERY_GCP_PUB_SUB_CMEK_KEY: "{{K8S_PV_KEY}}"

Note

  • Ensure that the specified CMEK keys exist and are accessible to the Privacera components running in the GCP environment.
  • The CMEK format for GCP should follow this pattern: projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>.

Comments