Advanced Cluster Options
Also available as:
PDF

Create a cluster with key encryption

GCP disk encryption can be configured on the Hardware and Storage page of the advanced create cluster wizard.

You can configure it per host group by clicking on the icon next to the chosen host group. Under Encryption Key you can choose between default encryption, KMS encryption key, or user-provided custom encryption key.

Encryption type Description How to configure
Default The Default encryption option is selected by default because Compute Engine encrypts all customer content at rest. There is no option to turn disk encryption off. You do not need to do anything.
Select an existing KMS key (CMEK) You can optionally select a previously created KMS key. If such as a key exists in the selected region, you can select it from the list. The format will be <key-ring-name>/<key>. From the Encryption Key dropdown, select an existing key.
Enter an existing custom key (CSEK) You can optionally provide a custom key. In this case, you must provide a key (max. 255 characters long) and the method used to send this key to Google: either RAW unencrypted format, or RSA encrypted format. Either way, an SHA-256 hashed version of the provided key will be sent, because GCP expects 256 bytes long blocks.
  1. Select “Provide Custom Key” from the Encryption Key dropdown.
  2. Under Encryption Method, select RSA or RAW.
  3. Under Custom Encryption Key, paste the encryption key.

Once the cluster is running, you can confirm that encryption is enabled by navigating to cluster details > Hardware tab. On Google Cloud, you can navigate to Compute Engine > disks > click on disk name, and you should see the Encryption key ID listed.