Security best practices

This page describes best practices for securing your Google Distributed Cloud installation.

Physical hardware security

You are responsible for the physical security of the Distributed Cloud connected hardware, such as limiting access to authorized personnel.

Platform security

The Distributed Cloud connected hardware platform has the following security features:

• Physical intrusion sensor. If an unauthorized party physically opens the machine, you and Google are immediately notified of the physical intrusion.

• Trusted Platform Module (TPM). The TPM is the root of trust that generates and stores encryption keys for all data stored on as well as received and transmitted by Distributed Cloud connected.

• Platform certificate. The platform certificate is a cryptographically secure record of manufacturing and TPM identity. The certificate acts as proof of supply chain integrity for Distributed Cloud connected hardware.

• Port lockdown. All external and internal ports other than Ethernet ports, such as USB and RS-232 console ports are disabled at the firmware level and only enabled for servicing.

Local storage security

Distributed Cloud connected hardware ships with Self-Encrypting Disk (SED) drives and uses Linux Unified Key Setup (LUKS) to encrypt the logical volumes on each Distributed Cloud connected node. You have the option to use customer-managed encryption keys (CMEK) or Google-owned and managed keys to wrap the LUKS disk encryption key (DEK).

When you assign a node to a node pool, the node generates a LUKS DEK and wraps it in either a Google-managed LUKS passphrase, also known as the key encryption key (KEK), or one provided by you through Cloud KMS. You can choose whether to use Cloud KMS when creating a node pool. Distributed Cloud connected integrates with Cloud KMS by using the envelope encryption model.

Distributed Cloud connected automatically rotates the LUKS and SED passphrases on a regular schedule.

Additionally, each Distributed Cloud connected machine does the following on every cold start:

• If you are not using Cloud KMS, the machine generates a new KEK (LUKS passphrase) and sets up encrypted storage from the beginning.

• If you are using Cloud KMS, the machine fetches the KEK from Cloud KMS and unlocks the existing logical volumes that hold your data.

Configure support for customer-managed encryption keys (CMEK) for local storage

By default, Google Distributed Cloud connected encrypts customer content at rest. Distributed Cloud connected handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Distributed Cloud connected. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Distributed Cloud connected resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

To enable Cloud KMS integration with Distributed Cloud connected, complete the following steps:

1. Create a keyring, a symmetric key, and one or more key versions to use with Distributed Cloud connected. You must create these artifacts in the same Google Cloud region as your Distributed Cloud connected installation. For instructions, see Create a key.

2. Grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Distributed Cloud connected Service Account in your Google Cloud project. You must do this for each key version that you want to use with Distributed Cloud connected. If you revoke this role after you integrate your Distributed Cloud connected installation with Cloud KMS, you lose access to data stored on the Distributed Cloud connected machines.

3. Create a node pool by using the --local-disk-kms-key flag, and provide the full path to the key version that you want to use with that node pool.

4. Create a cluster by using the --control-plane-kms-key flag, and provide the full path to the key version that you want to use with the node running the cluster's control plane.

5. Optionally, use the --offline-reboot-ttl flag when creating your cluster to specify a time window during which nodes that have been rebooted can rejoin the cluster while the cluster is running in survivability node. If you don't specify this window, rebooted nodes cannot rejoin the cluster until it exits survivability mode.

   CAUTION: If you specify a reboot timeout window, nodes that have gone offline can reboot and rejoin the cluster even if you disable or delete the storage key for the specified time.

To revert a cluster or a node pool to use a Google-owned and Google-managed encryption key, use the --use-google-managed-key flag as described in one of the following:

• Modify a cluster
• Modify a node pool

For more information, see Customer-managed encryption keys (CMEK) in the Cloud KMS documentation.

Data recovery and backups

You are responsible for maintaining functioning redundant backups of all the data that you choose to store on Distributed Cloud connected hardware and exporting that data when you choose to return Distributed Cloud connected hardware to Google or the Google-certified System Integrator (SI) that sold you the hardware.

If a failure of Distributed Cloud connected hardware occurs and Google or a Google-certified SI performs on-site repairs, all storage media is removed from the Distributed Cloud connected machine being serviced and is either placed into your custody for the duration of the repair or securely wiped and then sent for destruction.

If you purchased the Distributed Cloud hardware from a Google-certified SI and are no longer using Distributed Cloud but chose to keep and repurpose the hardware, the SI will wipe all Google software and your data from the Distributed Cloud hardware during decommissioning.

Network security

Network traffic between Distributed Cloud connected hardware and Google Cloud is encrypted using either MASQUE tunnels or TLS that use per-machine certificates. Distributed Cloud connected automatically rotates these certificates on a regular schedule.

Your business requirements and your organization's network security policy dictate the steps necessary to secure network traffic that flows in and out of your Distributed Cloud connected installation. In addition, we recommend the following:

• Allow only inbound connections to virtual IP address pools exposed by the Distributed Cloud connected built-in load balancer and to Distributed Cloud subnetworks.

• Disallow inbound connections from external network resources to subnetworks that serve the system management and service management layers.

• Disallow inbound connections from external network resources to IP addresses of local control plane endpoints. For more information, see Survivability mode.

For more information about how to prepare your local network for connecting Distributed Cloud hardware, see Networking.

What's next

• Ensure high availability for your Distributed Cloud connected installation