Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)


Google Cloud encrypts all data at rest by default with Google-generated keys. However, for business critical instances, users may want to use customer-supplied encryption keys (CSEKs) for an additional layer of protection as data encrypted with CSEKs cannot be accessed by Google.

Remediation Steps

Currently, there is no way to update the encryption of an existing Compute Engine disk. Therefore, remediation requires deleting an existing disk and creating a new one.

Google Cloud Console

  • Navigate to Compute Engine Disks.

  • To create a new disk, click CREATE DISK.

  • Under the Encryption section, select Customer-supplied encryption key (CSEK).

  • Provide the Encryption key in the supplied box.

  • Select Wrapped key.

  • Click Create.

gcloud CLI

  • If using a RSA-wrapped key, use the gcloud beta CLI action:

    • gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file <example-file.json>

  • To encrypt a standalone disk:

    • gcloud (beta) compute disks create DISK_NAME --csek-key-file <example- file.json>