Customer-managed encryption keys (CMEK)

Customer-managed encryption keys (CMEK) allow you to protect your Backup and DR Service data using a cryptographic key that you control through Cloud Key Management Service (Cloud Key Management Service). When you use CMEK, you manage the key in Cloud Key Management Service, and you can control who can access it by managing Identity and Access Management permissions on the key. If you temporarily disable or permanently destroy the CMEK key, data protected by that key becomes inaccessible.

Backup and DR Service uses CMEK to protect backup data stored in backup vaults.

You can configure CMEK on a backup vault only when you create it. You cannot enable or disable CMEK on an existing backup vault,

For more information about CMEK in general, see Customer-managed encryption keys (CMEK).

Permissions required to use CMEK

Before you begin using CMEK, you need to:

1. Enable the Cloud Key Management Service API in the project that will store your CMEK keys.

   Enable the API

2. Create a Cloud Key Management Service key ring and key. When creating your key, ensure that you select a location that matches the location of your backup vault. A backup vault in a region must use a key from the same region. A multi-regional backup vault must use a key from the same multi-region.

3. If not already created, create the Backup and DR Service service agent identity. The service agent is automatically created after the first backup vault is created in a project. If you need to grant permissions to the service agent before creating a backup vault, you can trigger its creation with the following command:

   gcloud beta services identity create --service=backupdr.googleapis.com --project=PROJECT_ID
   

   Replace PROJECT_ID with the ID of your project.

When you enable CMEK for a backup vault, Backup and DR Service needs permission to use your CMEK key to encrypt and decrypt data. This permission must be granted to the Backup and DR Service service agent.

It's important to distinguish between two different service accounts used by Backup and DR Service:

• Backup and DR Service service agent: This is a project-level service account used for managing Backup and DR Service resources and for accessing Cloud Key Management Service keys when CMEK is enabled on a backup vault. This is the service agent that requires the roles/cloudkms.cryptoKeyEncrypterDecrypter role on the CMEK key.
• Backup vault service account: This is a unique, per-vault service account that you grant permissions to access and back up source workloads (such as Compute Engine instances). This service account is not used for CMEK encryption of data within the backup vault.

To use CMEK with Backup and DR Service, you must grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Backup and DR Service service agent. This service agent is a service account that Backup and DR Service uses to access resources on your behalf, including accessing your Cloud Key Management Service key during encryption and decryption operations.

The Backup and DR Service service agent is named in the following format:

service-VAULT_PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com

Replace VAULT_PROJECT_NUMBER with the project number of the project containing your backup vault.

You can grant this role at the time of backup vault creation using the Google Cloud console if you have permissions to grant IAM roles, or you can grant it ahead of time using the gcloud kms keys add-iam-policy-binding command:

gcloud kms keys add-iam-policy-binding KEY_NAME \
    --location=KMS_LOCATION \
    --keyring=KEY_RING \
    --member=serviceAccount:service-VAULT_PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Permissions for backing up CMEK-protected resources

If you are backing up a resource that is itself encrypted with a different CMEK key, such as a Compute Engine instance with CMEK-encrypted disks, additional permissions are required. The service agent of the source resource's service needs permission to use the key(s) protecting the source resource. For example, to back up a CMEK-encrypted Compute Engine instance, the Compute Engine Service Agent of the source instance's project must have the roles/cloudkms.cryptoKeyEncrypterDecrypter role on the Cloud Key Management Service key(s) used to encrypt the instance's disks. In most cases, this permission is already in place for the source workload to be operational.

Cloud Key Management Service key rotation and backup restorability

Backup and DR Service backups rely on the availability of the Cloud Key Management Service key Backup and DR Service might not be able to access resources protected by that key.

If Backup and DR Service cannot access your CMEK key:

• New backups to the CMEK-enabled backup vault fail.
• Restores from the CMEK-enabled backup vault fail.
• You cannot create new backup vaults that use the unavailable key.

If you have disabled a key that was used for backups, re-enabling it restores access to the backup data. If you have destroyed a key version, any backups encrypted with that key version are permanently lost.

Pricing

Backup and DR Service does not charge any additional fees for using CMEK. However, you are charged for the use of your keys in Cloud Key Management Service. For more information, see Cloud Key Management Service pricing.