Encrypt workstation resources using CMEK

By default, Cloud Workstations uses a Google-managed encryption key to encrypt workstation resources such as VMs and persistent disks when data is at rest. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) using Cloud Key Management Service (Cloud KMS).

For more information about CMEK in general, including when and why to enable it, see the Cloud KMS documentation.

Before you begin

Create your projects

In the Google Cloud console, on the project selector page, select or create two Google Cloud projects:
- A key project contains your Cloud KMS resources, including a key ring and a symmetric encryption key.
- A workstations project contains workstations that are encrypted with a CMEK key.
You can use the same project for your key project and workstations project, but as a best practice, we recommend that you use two projects for separation of duties.

Note: If you don't plan to keep the resources that you create in this procedure, create new projects instead of selecting existing projects. After you finish these steps, you can delete the projects, removing all resources associated with both projects.
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
Enable the required APIs in each project.
- In your key project, make sure that you have enabled the Cloud KMS API.
  
  Enable Cloud KMS API
- In your workstations project, make sure that you have enabled Cloud KMS and Cloud Workstations APIs.
  
  Enable Cloud KMS and Cloud Workstations APIs
Make sure that you install and initialize the gcloud CLI. To initialize the gcloud CLI, run the following command:
```
gcloud init
```

Required roles

Although you can grant Cloud KMS Admin and Cloud Workstations Admin roles to the same person, we recommend that you follow the principle of least privilege when assigning roles. As a best practice, grant these roles to two separate people and have them coordinate, rather than ask your Cloud KMS to also be your Cloud Workstations Admin. For more information, see security best practices and using IAM securely.

To get the permissions that you need to set up CMEK, ask your administrator to grant you the following IAM roles:

If you are the Cloud KMS Admin, ask your administrator to grant you the following role so that you can create and manage Cloud KMS resources: Cloud KMS Admin (roles/cloudkms.admin) on your key project.
If you are the Cloud Workstations Admin, ask your administrator to grant you the following role so that you can create and update workstations: Cloud Workstations Admin (roles/workstations.admin) on your workstations project.

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create key ring and encryption key

In your key project, create a key and save the resource ID of the key:

Create or select a key ring.

You can share key rings between services, but as a best practice, we recommend that you use a different key for each protected resource. See separation of duties.
Create a symmetric encryption key.

Make sure that you create your CMEK key and workstation configuration in the same region.
Get the resource ID of the key and save this for a later step.

Check for workstation configurations

If you don't have workstation configurations available in the Google Cloud console, ask your Cloud Workstations Admin to create a workstation configuration for you, or make sure that you have a Cloud Workstations Admin IAM role on the project so that you can create these resources yourself.

Use customer-managed encryption keys

To use a CMEK in a workstation configuration, turn on CMEK from the Google Cloud console or gcloud CLI.

Console

Grant your Compute Engine service account and your Compute Engine service agent the Cloud KMS CryptoKey Encrypter/Decrypter role and the Cloud KMS Viewer role:

In the Google Cloud console, go to the Key management page.

Go to Key management
Click the name of the key ring that contains the key.
Select the checkbox for the key that you want to use.

The Permissions tab appears as a pane.
In the Add members dialog, specify the email address of the Compute Engine service account and Compute Engine service agent you are granting access.
In the Select a role drop down, select Cloud KMS CryptoKey Encrypter/Decrypter.
Click Add another role.
In the Select a role drop down, select Cloud KMS Viewer.
Click Save.

To enable CMEK from the Google Cloud console:

Follow the steps to Create a workstation configuration.
When specifying your machine configuration, look for the Advanced options section.
Click expand_more Expand More and select Use customer-managed encryption key (CMEK).
1. In the Select a customer-managed key field, select the customer-managed encryption key that you created in your key project.
  
  If the key that you created isn't listed, click Enter key manually to select the key by resource ID, and then enter the resource ID you noted previously.
2. In the Service account field, select the service account used by the key.
Complete the other steps to create your workstation configuration.
Create, start, and launch the workstation configuration, to encrypt the persistent disks in your project with the specified Cloud KMS key.

gcloud

The following example grants an IAM role that provides access to a Cloud KMS key and then enables CMEK by specifying that key in the workstation configuration:

Grant the KMS service account and the Compute Engine service agent for your workstations project the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key. This allows the Compute Engine service to create encrypted resources in your project, using the specified CMEK key.
```
  gcloud kms keys add-iam-policy-binding KEY_NAME \
    --location LOCATION \
    --keyring KEY_RING \
    --member serviceAccount:WORKSTATIONS_PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
    --project KMS_PROJECT_ID

  gcloud kms keys add-iam-policy-binding KEY_NAME \
    --location LOCATION \
    --keyring KEY_RING \
    --member serviceAccount:service-WORKSTATIONS_PROJECT_NUMBER@compute-system.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
    --project KMS_PROJECT_ID
```
Replace the following:
- KEY_NAME: the name of your key.
- LOCATION: the region name where you created your key ring.
- KEY_RING: the name of your key ring.
- WORKSTATIONS_PROJECT_NUMBER: the automatically generated, unique numeric identifier that is included as the first part of the Compute Engine default service account of the workstations project.
- KMS_PROJECT_ID: project ID, a unique string used to differentiate your Cloud KMS project from all others in Google Cloud.
For information on all flags and possible values, run the command with the --help flag.
To retrieve the workstations management service account for your workstation project, use the following command:
```
gcloud beta services identity create --service=workstations.googleapis.com \
    --project=WORKSTATIONS_PROJECT_ID
```
Replace WORKSTATIONS_PROJECT_ID with your workstations project ID.

Note: the workstations management service account uses the following format:
service-$WORKSTATIONS_PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com.
Grant the workstations management service account for your project the Cloud KMS Viewer role (roles/cloudkms.viewer) on the CMEK key. This allows the workstation service to detect key rotation and re-encrypt resources, as needed in your project.
```
gcloud kms keys add-iam-policy-binding KEY_NAME \
    --location LOCATION \
    --keyring KEY_RING \
    --member WORKSTATIONS_MANAGEMENT_SERVICE_ACCOUNT \
    --role roles/cloudkms.viewer \
    --project KMS_PROJECT_ID
```
Replace the following:
- KEY_NAME: the name of your key.
- LOCATION: the region name where you created your key ring.
- KEY_RING: the name of your key ring.
- WORKSTATIONS_MANAGEMENT_SERVICE_ACCOUNT: the workstations management service account obtained from the above step.
- KMS_PROJECT_ID: the project ID, a unique string used to differentiate your Cloud KMS key project from all others in Google Cloud.
For information on all flags and possible values, run the command with the --help flag.
Optional: if you have not yet created a workstation cluster, create one using the clusters create gcloud CLI command.
```
gcloud workstations clusters create \
    WORKSTATIONS_CLUSTER_NAME --region=LOCATION \
    --project=WORKSTATIONS_PROJECT_NUMBER
```
Replace the following:
- WORKSTATIONS_CLUSTER_NAME: the name of the workstation cluster.
- LOCATION: the region name for your workstation cluster.
- WORKSTATIONS_PROJECT_NUMBER: the automatically generated, unique numeric identifier that is included as the first part of the Compute Engine default service account of the workstations project
Assuming that you have already created a cluster, create a workstation configuration with encryption_key settings.

To create a workstation configuration with machine type e2-standard-2, idle timeout of 3600s, and CMEK encrypted workstation resources, run the following gcloud CLI command:
```
gcloud workstations configs create WORKSTATIONS_CONFIG_NAME \
  --cluster=WORKSTATIONS_CLUSTER_NAME \
  --region=LOCATION \
  --machine-type="e2-standard-2" \
  --idle-timeout=3600 \
  --kms-key="projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME" \
  --kms-key-service-account="WORKSTATIONS_PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
  --project=WORKSTATIONS_PROJECT_NUMBER
```
Replace the following:
- WORKSTATIONS_CONFIG_NAME: the name of the workstation configuration.
- WORKSTATIONS_CLUSTER_NAME: the name of your workstation cluster.
- LOCATION: the region name for your cluster.
- KMS_PROJECT_ID: project ID, a unique string used to differentiate your project from all others in Google Cloud.
- KEY_RING: the name of your key ring.
- KEY_NAME: the name of your key.
- WORKSTATIONS_PROJECT_NUMBER: the automatically generated, unique numeric identifier that is included as the first part of the Compute Engine default service account of the workstations project
After you create a workstation configuration, Cloud KMS encrypts the persistent disks in your project with the specified Cloud KMS key.

Cloud KMS quotas and Cloud Workstations

When you use CMEK in Cloud Workstations, your projects can consume Cloud KMS cryptographic requests quotas. For example, CMEK-encrypted repositories can consume these quotas for each upload or download. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.

External keys

You can use Cloud External Key Manager (Cloud EKM) to encrypt data within Google Cloud using external keys that you manage.

When you use a Cloud EKM key, Google has no control over the availability of your externally-managed key. If the key becomes unavailable, your workstation cannot be started.

For more considerations when using external keys, see Cloud External Key Manager.

What's next

Read about Customer-managed encryption keys.
Learn What is encryption?