Use Customer-Managed Encryption Keys for Functions Encryption

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Click on the name (link) of the function that you want to examine, listed in the Name column.

05 Select the DETAILS tab, and check the Encryption Key attribute value, listed in Security Settings section. If the Encryption Key attribute value is not displayed, the selected Google Cloud function is not encrypted at rest using a Cloud KMS Customer-Managed Encryption Key (CMEK).

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s):

cc-bigdata-project-123123
	cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Google Cloud function deployed within the selected project:

gcloud functions list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested function names and the associated regions:

NAME: cc-project5-function
REGION: us-central1

NAME: tm-stream-function
REGION: us-central1

NAME: tm-vertex-function
REGION: us-central1

05 Run functions describe command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the name of the Customer-Managed Encryption Key (CMEK) used to encrypt/decrypt your function's resources:

gcloud functions describe cc-project5-function
	--region=us-central1
	--format="json(kmsKeyName)"

06 The command output should return the name of the requested Customer-Managed Encryption Key:

null

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
3. A key ring requires a name and location. On the Create key ring setup page, provide a unique name in the Key ring name box, select the key location type from the Location type list, then choose the appropriate key location from the Region/Multi-region dropdown list. The location can be either multi-region or associated with a particular region. If the CMEKs created later within this key ring will be used to encrypt/decrypt data in a particular region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
4. On the Create key setup page, provide the following information:
   1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
   2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
   3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
   4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
   5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
   6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

05 Click on the name (link) of the function that you want to configure, listed in the Name column.

06 Choose EDIT, expand the Runtime, build, connections and security settings configuration panel, select the SECURITY AND IMAGE REPO tab, and perform the following actions to enable encryption at rest using Cloud KMS Customer-Managed Encryption Keys (CMEKs):

1. For Encryption, choose Cloud KMS key.
2. For Key type, select Cloud KMS.
3. Choose the name of your Cloud KMS Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list.
4. For Image repository, ensure that the correct customer-managed artifact registry is selected from the Artifact registry dropdown list, under Container location.
5. Choose NEXT and DEPLOY to apply the changes and deploy a new revision for the selected function.

07 Repeat steps no. 5 and 6 for each Google Cloud function that you want to configure, available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

01 Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the keys deployed later within this key ring will be used to encrypt resources in a given region, select that region as the key ring location:

gcloud kms keyrings create tm-cloud-run-key-ring
	--location=us
	--project=cc-bigdata-project-123123
	--format="table(name)"

02 The command output should return the resource name of the newly created key ring:

NAME
projects/cc-bigdata-project-123123/locations/us/keyRings/tm-cloud-run-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created at the previous steps:

gcloud kms keys create tm-cloud-function-kms-key
	--location=us
	--keyring=tm-cloud-run-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2024-11-25T10:00:00.0000Z
	--format="table(name)"

04 The command output should return the resource name of the new Customer-Managed Encryption Key:

NAME
projects/cc-bigdata-project-123123/locations/us/keyRings/tm-cloud-run-key-ring/cryptoKeys/tm-cloud-function-kms-key

05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the required service accounts:

gcloud kms keys add-iam-policy-binding tm-cloud-function-kms-key
	--keyring tm-cloud-run-key-ring
	--location us-central1
	--member <service-account-email>
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format):

Updated IAM policy for key [tm-new-function-kms-key].
bindings:
- members:
	- serviceAccount:<project-number>-compute@developer.gserviceaccount.com
	- serviceAccount:service-<project-number>@gcf-admin-robot.iam.gserviceaccount.com
	- serviceAccount:service-<project-number>@gs-project-accounts.iam.gserviceaccount.com
	- serviceAccount:service-<project-number>@serverless-robot-prod.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: ABCD1234ABCD1234
version: 1

07 Run functions deploy command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to configure as the identifier parameter, to enable encryption at rest using Cloud KMS Customer-Managed Encryption Keys (CMEKs). Use the --kms-key parameter to specify your own Customer-Managed Encryption Key:

gcloud functions deploy cc-project5-function
	--source=gs://gcf-v2-sources-123456789012-us-central1/cc-project5-function/function-source.zip
	--region=us-central1
	--runtime=nodejs20
	--trigger-http
	--kms-key=projects/cc-bigdata-project-123123/locations/us/keyRings/tm-cloud-run-key-ring/cryptoKeys/tm-cloud-function-kms-key

08 The command output should return the build information available for the redeployed function:

buildConfig:
	automaticUpdatePolicy: {}
	build: projects/123456789012/locations/us-central1/builds/abcd1234-abcd-1234-abcd-1234abcd1234abcd
	dockerRegistry: ARTIFACT_REGISTRY
	dockerRepository: projects/cc-bigdata-project-123123/locations/us-central1/repositories/gcf-artifacts
	entryPoint: run-app
	runtime: nodejs20
	source:
		storageSource:
			bucket: gcf-v2-sources-123456789012-us-central1
			generation: '1730285369954566'
			object: cc-project5-function/function-source.zip
	sourceProvenance:
		resolvedStorageSource:
			bucket: gcf-v2-sources-123456789012-us-central1
			generation: '1730285369954566'
			object: cc-project5-function/function-source.zip
createTime: '2024-10-28T09:49:12.051881848Z'
environment: GEN_2
labels:
	deployment-tool: console-cloud
name: projects/cc-bigdata-project-123123/locations/us-central1/functions/cc-project5-function
serviceConfig:
	allTrafficOnLatestRevision: true
	availableCpu: 167m
	availableMemory: 256Mi
	environmentVariables:
		LOG_EXECUTION_ID: 'true'
	ingressSettings: ALLOW_ALL
	minInstanceCount: 3
	maxInstanceCount: 10
	maxInstanceRequestConcurrency: 1
	revision: cc-project5-function-00003-abc
	service: projects/cc-bigdata-project-123123/locations/us-central1/services/cc-project5-function
	serviceAccountEmail: 123456789012-compute@developer.gserviceaccount.com
	timeoutSeconds: 60
	uri: https://cc-project5-function-abcd1234abcd-uc.a.run.app
state: ACTIVE
updateTime: '2024-10-28T10:50:15.176254527Z'
url: https://us-central1-cc-bigdata-project-123123.cloudfunctions.net/cc-project5-function

09 Repeat steps no. 1 - 8 for each Google Cloud function that you want to configure, available in the selected project.

10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.