Profile Applicability:

Level 2

Description:

Google Cloud enables customers to encrypt VM disks using Customer-Supplied Encryption Keys (CSEK). These keys allow users to manage their own encryption and decryption processes, ensuring control over sensitive data rather than relying exclusively on Google-managed encryption. This practice is particularly critical for safeguarding sensitive virtual machines (VMs), meeting stringent security and compliance requirements.

Rationale:

By default, Google encrypts data at rest using its own managed keys. While convenient, this gives Google control over encryption. CSEK allows users to retain control, ensuring that only authorized personnel with the correct keys can access encrypted data. However, if the CSEK is lost or forgotten, the data becomes irretrievable, providing additional security by eliminating unauthorized access.

Impact:

If a customer-supplied encryption key is lost, the associated encrypted data cannot be recovered. Therefore, users must follow robust key management practices to avoid data loss.

Default Value:

By default, VM disks are encrypted using Google-managed keys and not Customer-Supplied Encryption Keys.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to Compute Engine > Disks: https://console.cloud.google.com/compute/disks.

                               

  1. Select the disk linked to the critical VM.

                   

  1. Verify that the Encryption Type is set to Customer Supplied.

                               

Using Google Cloud CLI:

Run the following command to check the encryption details of a disk:

gcloud compute disks describe <DISK_NAME> --zone <ZONE> --format="json(diskEncryptionKey,name)"

  1. Ensure that the diskEncryptionKey property is present and contains a valid sha256 key.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to Compute Engine > Disks: https://console.cloud.google.com/compute/disks.

                       

  1. Click Create Disk.

               

  1. Set the Encryption Type to Customer Supplied.

               

  1. Enter the required encryption key in the designated field.

             

  1. Click Create to finalize the process.

             

From Google Cloud CLI:

To create a new disk with CSEK during VM instance creation:

gcloud compute instances create <INSTANCE_NAME> --csek-key-file <KEY_FILE.json>

To create a standalone disk encrypted with a customer-supplied key:

gcloud compute disks create <DISK_NAME> --csek-key-file <KEY_FILE.json>

References:

  1. Google Compute Disk API Reference

Additional Information:

  • Key Management Responsibility: Customers must securely store and manage their encryption keys, as Google does not retain them. Lost keys result in irretrievable data.

  • Key Format: Keys must be 256-bit strings encoded in RFC 4648 base64.

Example Key File:

[
  {
    "uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/example-disk",
    "key": "acXTX3rxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY-c=",
    "key-type": "raw"
  }
]

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data at rest, including on servers, applications, and databases.


14.8 Encrypt Sensitive Information at Rest

Use encryption to secure sensitive information stored at rest.