Skip to content

Configure CMEK in GCP

Privacera supports Customer Managed Encryption Keys (CMEK) for encrypting data at rest in GCP Storage Buckets and Pub/Sub Topics. This section provides steps to configure CMEK in Kubernetes for GCP.

Prerequisites

  • Discovery is installed and running.
  • CMEK keys
  • CMEK keys for GCS and Pub/Sub (optional)

Note

  • Ensure that the specified CMEK keys exist and are accessible to the Privacera components running in the GCP environment.
  • The CMEK format for GCP should follow this pattern: projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>.

Setup

Go to the Privacera Manager host and navigate to the Privacera Manager installation directory:

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kubernetes.storage.yml config/custom-vars/
vi config/custom-vars/vars.kubernetes.storage.yml

Add or update the following variables:

Bash
1
2
3
4
5
6
7
# If the storage is encrypted, uncomment and update the properties with key details
K8S_PV_ENCRYPTED: "true"
# For GCP, provide the CMEK key name in the format:
# projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>
K8S_PV_KEY: "<PLEASE_CHANGE>"
# Uncomment this variable to use the GCP storage provisioner supporting CMEK
K8S_STORAGE_PROVISIONER: "pd.csi.storage.gke.io"

Custom CMEK Keys for GCS & Pub/Sub

This step is optional

By default, Discovery uses K8S_PV_KEY to encrypt data at rest in GCP Storage Buckets and Pub/Sub Topics. If you want to use different keys for these services, modify the vars.discovery.gcp.yml file:

Copy the vars.discovery.gcp.yml file from the sample variables directory to your custom variables directory:

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.gcp.yml config/custom-vars/
vi config/custom-vars/vars.discovery.gcp.yml

Add or update the following variables:

Bash
1
2
3
# Support for Google CMEK in GCS storage and Pub/Sub topic creation
DISCOVERY_GCP_BUCKET_CMEK_KEY: "{{K8S_PV_KEY}}"
DISCOVERY_GCP_PUB_SUB_CMEK_KEY: "{{K8S_PV_KEY}}"

Restart Privacera Services

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade