Comment
Author: Admin | 2025-04-27
This document discusses how to configure customer-managed encryptionkeys (CMEK) for Pub/Sub.Pub/Sub encrypts messages withGoogle-owned and Google-managed encryption keys by default. No additional setup isrequired to use Google-owned and Google-managed encryption keys.About CMEKCMEKs are encryption keys that you own and are managed and stored inCloud Key Management Service (Cloud KMS). If you need more control over theencryption keys used to protect Pub/Subdata, you can use CMEKs. Some organizations also mandate the use ofCMEKs.CMEKs give you full control over your encryption keys, letting you manage theirlifecycle, rotation, and access policies. When you configurePub/Sub with a CMEK, the service automatically encryptsall data using the specified key. Cloud KMS usage forCMEK might incur additional costs depending on your usage patterns.Every message is encrypted at the following states and layers: At rest Hardware layer Infrastructure layer Application layer In transit At the application layer, Pub/Sub individually encrypts incomingmessages as soon as the message is received. This implementation adds thefollowing features:Keeps messages encrypted on data-center internal linksEnables customer-managed encryption keys (CMEK)CMEK for Pub/SubPub/Sub uses theenvelope encryption pattern with CMEK.In this approach, the messages are not encrypted by Cloud KMS. InsteadCloud KMS is used to encrypt Data Encryption Keys (DEKs) created byPub/Sub for each topic. These DEKs are stored only in encrypted,or wrapped, form by Pub/Sub. Before storing a DEK, the servicesends the DEK to Cloud KMS to be encrypted with the key encryptionkey (KEK) specified on the topic. A new DEK is generated foreach topic approximately every six hours.Before Pub/Sub publishes messages to a subscription, itencrypts them using the newest DEK that was generated for the topic.Pub/Sub decrypts the messages shortly before they are deliveredto subscribers.Before you beginYou can configure CMEK for Pub/Sub using theGoogle Cloud console or the Google Cloud CLI.Complete the following tasks:Enable the Cloud KMS API.Create a key ring and a key in Cloud KMS. Keys and keyrings cannot be deleted.For instructions on how to accomplish these tasks, see theCloud KMS quickstart guide.Because Pub/Sub resources are global, we strongly recommendthat you use global Cloud KMS keys to configure CMEK-enabledtopics. Depending on the locations of a topic's publishers and subscribers, theuse of a regional Cloud KMS key could introduce unnecessarydependencies on cross-region network links.Required roles and permissions to configure CMEKPub/Sub uses a Google Cloudservice agent toaccess Cloud KMS. The service agent is maintained internally byPub/Sub for each project, and is not visible onthe Service Accounts page in the Google Cloud console by default.The Pub/Sub service agent has the formservice-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com.Pub/Sub requires specific permissions to encrypt anddecrypt data using CMEK.Complete the following steps to set up the required access:Grant the Pub/Sub service agent theCloud KMS Crypto Key Encrypter/Decrypter(roles/cloudkms.cryptoKeyEncrypterDecrypter) role.gcloud kms keys add-iam-policy-binding CLOUD_KMS_KEY_NAME \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypterReplace the following:CLOUD_KMS_KEY_NAME: The name of the Cloud KMS key.The
Add Comment