Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Virtual Machine (VM) Disk Encryption

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ComputeEngine-025

Ensure that the persistent disks attached to your Google Compute Engine instances are encrypted with Customer-Managed Encryption Keys (CMEK) or Customer-Supplied Encryption Keys (CSEK) in order to have complete control over the data-at-rest encryption and decryption process and meet strict compliance requirements. CMEKs are customer-managed keys within Cloud KMS, whereas CSEKs are keys managed and stored outside of Google Cloud and provided on-demand for data access.

This rule resolution is part of the Conformity solution.

Security

By default, the Compute Engine service encrypts all data at rest using Google-managed encryption keys. The cloud service manages this type of encryption without requiring any additional action from you or your application. However, if you require greater control over the compute instance disk encryption and decryption process in order to meet strict compliance and security requirements, you have two options for using your own keys:

  1. Customer-Managed Encryption Keys (CMEKs), which you fully control and manage within Google Cloud's Cloud KMS service. These keys are used to encrypt production or mission-critical data and offer a higher level of oversight than the default Google-managed encryption.
  2. Customer-Supplied Encryption Keys (CSEKs), which are raw encryption keys that you manage and store outside of Google Cloud. Compute Engine uses your CSEK to protect the Google-generated keys that encrypt and decrypt your instance data. The Compute Engine service does not store your CSEKs on its servers and cannot access your protected data unless you provide the required key with the API request.

Audit

To determine whether your VM instance disks utilize Google-managed, customer-managed, or customer-supplied encryption keys, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute/overview.

04 In the left navigation panel, under Virtual machines, select VM instances, to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

05 Click on the name (link) of the VM instance that you want to examine, listed in the Name column.

06 Select the Details tab to access the configuration details available for selected instance.

07 In the Storage section, click on the name (link) of the disk volume that you want to examine, listed in the Name column.

08 Select the Details tab and check the Encryption type attribute value to determine the key type used for the disk encryption. If Encryption type is set to Google-managed, the data on that verified disk is not encrypted with a Customer-Managed Encryption Key (CMEK) or a Customer-Supplied Encryption Key (CSEK).

09 Repeat steps no. 7 and 8 for each disk volume attached to the selected virtual machine (VM) instance. For compliance, all disks attached to your Google Compute Engine instance must be encrypted using CMEKs or CSEKs.

10 Repeat steps no. 5 – 9 for each virtual machine (VM) instance provisioned within the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the IDs of all the GCP projects available in your Google Cloud account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project IDs: 

cc-web-stack-project-123123
cc-backend-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and zone of each VM instance provisioned for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the names of the instances within the selected GCP project: 

NAME: cc-production-instance
ZONE: us-central1-a

NAME: cc-development-instance
ZONE: us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the instance's name and zone as the identifier parameters, and custom output filtering, to list the name of each disk (boot or non-boot) attached to the selected instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="table(disks.deviceName)"

06 The command output should return the names of the attached disks: 

DEVICE_NAME: ['cc-production-instance-boot-disk', 'cc-production-instance-data-disk']

07 Run compute disks describe command (Windows/macOS/Linux) with the name of the disk volume that you want to examine as the identifier parameter and custom output filters to describe the encryption key configured for the selected disk: 

gcloud compute disks describe cc-production-instance-boot-disk
	--zone us-central1-a
	--format="json(diskEncryptionKey)"

08 The command output should return the requested encryption key: 

null

If the compute disks describe command output returns null instead of an encryption key with the name property set to "kmsKeyName" or "sha256", as shown in the output examples listed below, the data available on the verified disk is not encrypted with a Customer-Managed Encryption Key (CMEK) or a Customer-Supplied Encryption Key (CSEK).
  1. For disk volumes encrypted with Customer-Managed Encryption Keys (CMEKs): 
    {
	"diskEncryptionKey": {
		"kmsKeyName": "projects/cc-web-stack-project-123123/locations/global/keyRings/cc-web-key-ring/cryptoKeys/cc-production-cryptokey/cryptoKeyVersions/2"
	}
}
  2. For disk volumes encrypted with Customer-Supplied Encryption Keys (CSEKs): 
    {
	"diskEncryptionKey": {
		"sha256": "abcdabcdabcdabcdbacdbacdbacdbacdbacdbacdbabcd"
	}
}

09 Repeat steps no. 7 and 8 for each disk volume attached to the selected virtual machine (VM) instance. For compliance, all disks attached to your Google Compute Engine instance must be encrypted using CMEKs or CSEKs.

10 Repeat steps no. 5 – 9 for each virtual machine (VM) instance launched within the selected GCP project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Case A: To enable encryption at rest using Customer-Managed Encryption Keys (CMEKs) for the disk volumes attached to your production Google Compute Engine instances, you must re-create those instances with the appropriate encryption configuration. To relaunch your virtual machine (VM) instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 To create and configure a new Customer-Managed Encryption Key (CMEK), perform the following actions:

  1. Navigate to Key Management console available at https://console.cloud.google.com/security/kms.
  2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose Create key ring to set up the necessary key ring.
  3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select Region from the Location type list, then choose the appropriate key location from the Region dropdown list. Choose Create to deploy the new key ring.
  4. Choose Create key and provide the following information:
    1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose Continue to continue the setup process.
    2. For Key material, choose Generated key to generate the key material for you (recommended). Choose Continue to continue the setup.
    3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose Continue to continue the setup.
    4. For Versions, configure the key rotation period as necessary. Choose Continue to continue.
    5. For Additional settings (optional), set the duration for "scheduled for destruction" state (i.e., soft deleted) before the key is removed from the system. Choose Add label and use the Key and Value text fields to create labels in order to organize the identity of the new key.
    6. Choose Create to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 Navigate to Compute Engine console available at https://console.cloud.google.com/compute/overview.

05 In the left navigation panel, under Virtual machines, select VM instances, to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

06 Click on the name (link) of the VM instance that you want to re-create.

07 Select the Details tab and collect all the necessary configuration details available for selected VM instance.

08 Choose Stop from the console top menu to stop the selected instance. Choose again Stop for confirmation.

09 Once the VM instance is stopped, click on the name of the boot disk, listed in the Storage section, and select Create image from the console top menu to create an image from the selected instance disk.

10 On the Create an image setup page, give your boot disk image a unique name, select the appropriate location, and click Create to deploy the image.

11 Navigate back to the stopped VM instance and choose Start / Resume from the console top menu to restart the selected instance. Select Start for confirmation.

12 In the left navigation panel, under Virtual machines, select VM instances, and choose Create instance to launch a new virtual machine (VM) instance.

13 On the Create an instance page, perform the following operations:

  1. For Machine configuration, provide a unique name for the new instance in the Name box, select the appropriate region and zone, and choose the correct machine type (must match the machine type of the source instance).
  2. For OS and storage, perform the following actions:
    1. Choose Change under Operating system and storage, select the Custom images tab, choose the disk image created in step no. 10 from the Image dropdown list, choose the correct Boot disk type and Size (GB), and select the appropriate Deletion rule. For Encryption select Cloud KMS key, choose Cloud KMS for Key management type, and select the CMEK created in step no. 3 from the Select a Cloud KMS key dropdown list to enable boot disk encryption with Customer-Managed Encryption Keys (CMEKs). Choose Grant for The service-\<project-number\>@compute-system.iam.gserviceaccount.com service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key. to assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated Compute Engine service account. Choose Select to apply the changes.
    2. (Optional) If the source (non-compliant) VM instance has additional data disks attached, choose Add new disk, under Additional disks and configure the new disk according to the source data disk. For Encryption select Cloud KMS key, choose Cloud KMS for Key management type, and select the CMEK created in step no. 3 from the Select a Cloud KMS key dropdown list to enable data disk encryption with Customer-Managed Encryption Keys (CMEKs). Choose Grant for The service-\<project-number\>@compute-system.iam.gserviceaccount.com service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key. to assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated Compute Engine service account. Choose Save to apply the changes.
  3. For Data protection, configure the data backup and replication settings. This will help you protect your instance data against failures and errors.
  4. For Networking, configure the instance networking features such as the network interfaces and firewall rules (must match the network configuration of the source instance).
  5. For Observability, configure the monitoring and logging settings for the new VM instance.
  6. For Security, configure the identity and API access for the instance, and enable security features such as Shielded VM.
  7. For Advanced, configure the advanced settings for the new VM instance (must match the advanced configuration of the source instance).
  8. Choose Create to launch your new Google Compute Engine instance.

14 Repeat steps no. 6 – 13 to enable encryption at rest with Customer-Managed Encryption Keys (CMEKs) for each VM instance provisioned for the selected GCP project.

15 Repeat steps no. 2 – 14 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 To create and configure a new Customer-Managed Encryption Key (CMEK), you must provision a key ring first. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the CMEKs created later within this key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location: 

gcloud kms keyrings create cc-production-key-ring
	--location=us
	--project=cc-web-stack-project-123123
	--format="table(name)"

02 The command output should return the resource name of the newly created key ring: 

NAME: projects/cc-web-stack-project-123123/locations/us/keyRings/cc-production-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created in the previous steps: 

gcloud kms keys create cc-production-cmek
	--location=us
	--keyring=cc-production-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2026-03-10T12:00:00.0000Z
	--format="table(name)"

04 The command output should return the full resource ID of the new Customer-Managed Encryption Key: 

NAME: projects/cc-web-stack-project-123123/locations/us/keyRings/cc-production-key-ring/cryptoKeys/cc-production-cmek

05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to add the necessary IAM policy binding to your new CMEK. This assigns the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated service account (i.e., service-\<project-number\>@compute-system.iam.gserviceaccount.com). Replace \<project-number\> with your Google Cloud Platform (GCP) project number: 

gcloud kms keys add-iam-policy-binding cc-production-cmek
	--keyring "cc-production-key-ring"
	--location "us"
	--member "serviceAccount:service-<project-number>@compute-system.iam.gserviceaccount.com"
	--role "roles/cloudkms.cryptoKeyEncrypterDecrypter"

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for key [cc-production-cmek].
	bindings:
	- members:
	- serviceAccount:service-<project-number>@compute-system.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
	etag: abcdabcdabcd
	version: 1

07 Run compute instances describe command (Windows/macOS/Linux) with the name of the virtual machine (VM) instance that you want to re-create as the identifier parameter, to describe and collect the configuration information available for the selected instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a

08 The command output should return the requested configuration information: 

cpuPlatform: Intel Haswell
	deletionProtection: false
	disks:
	- autoDelete: true
		boot: true
		deviceName: cc-production-instance
		diskSizeGb: '150'
		guestOsFeatures:
		- type: VIRTIO_SCSI_MULTIQUEUE
		- type: UEFI_COMPATIBLE
		interface: SCSI
		kind: compute#attachedDisk
		mode: READ_WRITE
		source: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-production-instance
		type: PERSISTENT
	displayDevice:
		enableDisplay: false

	...

	kind: compute#instance
	machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
	name: cc-production-instance
		enableIntegrityMonitoring: true
		enableSecureBoot: false
		enableVtpm: true
	shieldedInstanceIntegrityPolicy:
		updateAutoLearnPolicy: true
	startRestricted: false
	status: RUNNING
	tags:
		items:
		- http-server
		- https-server
	zone: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

09 Run compute instances stop command (Windows/macOS/Linux) to stop the VM instance that you want to re-create: 

gcloud compute instances stop cc-production-instance
	--zone=us-central1-a

10 The command output should return the compute instances stop request status: 

Stopping instance(s) cc-production-instance...done.
	Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

11 Run compute images create command (Windows/macOS/Linux) with the name of the boot disk attached to the source instance as value for the --source-disk parameter, to create an image from the selected instance disk. The boot disk image will be used later, when the new VM instance will be created: 

gcloud compute images create cc-production-boot-disk-image
	--source-disk cc-production-instance-boot-disk
	--source-disk-zone us-central1-a
	--storage-location us

12 The command output should return the name and the status of the newly created disk image: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-production-boot-disk-image].
	NAME: cc-production-boot-disk-image
	PROJECT: cc-web-stack-project-123123
	STATUS: READY

13 Run compute instances start command (Windows/macOS/Linux) to restart the source Google Compute Engine instance: 

gcloud compute instances start cc-production-instance
	--zone=us-central1-a

14 The command output should return the compute instances start request status: 

Starting instance(s) cc-production-instance...done.
	Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

15 Run the compute instances create command (Windows/macOS/Linux) to launch a new Google Compute Engine instance using the configuration information collected in step no. 8. For the --boot-disk-kms-key parameter, specify the ID of the Customer-Managed Encryption Key (CMEK) returned in step no. 4. (Optional) For additional (data) instance disks, include the --disk=name=\<data-disk-name\> parameter in the command request, where \<data-disk-name\> is the name of the data disk that you want to attach to the instance: 

gcloud compute instances create cc-encrypted-production-instance
	--project=cc-web-stack-project-123123
	--zone=us-central1-a
	--machine-type=n1-standard-8
	--image=projects/cc-web-stack-project-123123/global/images/cc-production-boot-disk-image
	--boot-disk-size=150GB
	--boot-disk-kms-key=projects/cc-web-stack-project-123123/locations/us/keyRings/cc-production-key-ring/cryptoKeys/cc-production-cmek

16 The command output should return the configuration information available for the new VM instance: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-encrypted-production-instance].
	NAME: cc-encrypted-production-instance
	ZONE: us-central1-a
	MACHINE_TYPE: n1-standard-8
	INTERNAL_IP: 10.128.0.15
	EXTERNAL_IP: xxx.xxx.xxx.xxx
	STATUS: RUNNING

17 Repeat steps no. 7 – 16 to enable encryption at rest with Customer-Managed Encryption Keys (CMEKs) for each production VM instance provisioned within the selected GCP project.

18 Repeat steps no. 1 – 17 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Case B: To enable encryption at rest using Customer-Supplied Encryption Key (CSEK) for the disk volumes attached to your production Google Compute Engine instances, you must re-create those instances with the appropriate encryption configuration. To relaunch your virtual machine (VM) instances, perform the following operations:

You are responsible for generating and managing your Customer-Supplied Encryption Key (CSEK). You must provide a CSEK that is a 256-bit string encoded in RFC 4648 standard base64 to Google Compute Engine service.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute/overview.

04 In the left navigation panel, under Virtual machines, select VM instances, to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

05 Click on the name (link) of the VM instance that you want to re-create.

06 Select the Details tab and collect all the necessary configuration details available for selected VM instance.

07 Choose Stop from the console top menu to stop the selected instance. Choose again Stop for confirmation.

08 Once the VM instance is stopped, click on the name of the boot disk, listed in the Storage section, and select Create image from the console top menu to create an image from the selected instance disk.

09 On the Create an image setup page, give your boot disk image a unique name, select the appropriate location, and click Create to deploy the image.

10 Navigate back to the stopped VM instance and choose Start / Resume from the console top menu to restart the selected instance. Select Start for confirmation.

11 In the left navigation panel, under Virtual machines, select VM instances, and choose Create instance to launch a new virtual machine (VM) instance.

12 On the Create an instance page, perform the following operations:

  1. For Machine configuration, provide a unique name for the new instance in the Name box, select the appropriate region and zone, and choose the correct machine type (must match the machine type of the source instance).
  2. For OS and storage, perform the following actions:
    1. Choose Change under Operating system and storage, select the Custom images tab, choose the disk image created in step no. 10 from the Image dropdown list, choose the correct Boot disk type and Size (GB), and select the appropriate Deletion rule. For Encryption select Customer-supplied encryption key (CSEK), paste your own key in the Encryption key text box, and select Wrapped key to ensure that the encryption key is wrapped with the Compute Engine public key. Choose Select to apply the changes. This will enable boot disk encryption with Customer-Supplied Encryption Keys (CSEKs).
    2. (Optional) If the source (non-compliant) VM instance has additional data disks attached, choose Add new disk, under Additional disks and configure the new disk according to the source data disk. For Encryption select Customer-supplied encryption key (CSEK), paste your own key in the Encryption key text box, and select Wrapped key to ensure that the encryption key is wrapped with the Compute Engine public key. Choose Select to apply the changes. This will enable data disk encryption with Customer-Supplied Encryption Keys (CSEKs).
  3. For Data protection, configure the data backup and replication settings. This will help you protect your instance data against failures and errors.
  4. For Networking, configure the instance networking features such as the network interfaces and firewall rules (must match the network configuration of the source instance).
  5. For Observability, configure the monitoring and logging settings for the new VM instance.
  6. For Security, configure the identity and API access for the instance, and enable security features such as Shielded VM.
  7. For Advanced, configure the advanced settings for the new VM instance (must match the advanced configuration of the source instance).
  8. Choose Create to launch your new Google Compute Engine instance.

13 Repeat steps no. 5 – 12 to enable encryption at rest with Customer-Supplied Encryption Keys (CSEKs) for each VM instance provisioned for the selected GCP project.

14 Repeat steps no. 2 – 13 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances describe command (Windows/macOS/Linux) with the name of the virtual machine (VM) instance that you want to re-create as the identifier parameter, to describe and collect the configuration information available for the selected instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a

02 The command output should return the requested configuration information: 

cpuPlatform: Intel Haswell
deletionProtection: false
disks:
- autoDelete: true
	boot: true
	deviceName: cc-production-instance
	diskSizeGb: '150'
	guestOsFeatures:
	- type: VIRTIO_SCSI_MULTIQUEUE
	- type: UEFI_COMPATIBLE
	interface: SCSI
	kind: compute#attachedDisk
	mode: READ_WRITE
	source: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-production-instance
	type: PERSISTENT
displayDevice:
	enableDisplay: false

...

kind: compute#instance
machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
name: cc-production-instance
	enableIntegrityMonitoring: true
	enableSecureBoot: false
	enableVtpm: true
shieldedInstanceIntegrityPolicy:
	updateAutoLearnPolicy: true
startRestricted: false
status: RUNNING
tags:
	items:
	- http-server
	- https-server
zone: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

03 Run compute instances stop command (Windows/macOS/Linux) to stop the VM instance that you want to re-create: 

gcloud compute instances stop cc-production-instance
	--zone=us-central1-a

04 The command output should return the compute instances stop request status: 

Stopping instance(s) cc-production-instance...done.
	Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

05 Run compute images create command (Windows/macOS/Linux) with the name of the boot disk attached to the source instance as value for the --source-disk parameter, to create an image from the selected instance disk. The boot disk image will be used later, when the new VM instance will be created: 

gcloud compute images create cc-production-boot-disk-image
	--source-disk cc-production-instance-boot-disk
	--source-disk-zone us-central1-a
	--storage-location us

06 The command output should return the name and the status of the newly created disk image: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-production-boot-disk-image].
	NAME: cc-production-boot-disk-image
	PROJECT: cc-web-stack-project-123123
	STATUS: READY

07 Run compute instances start command (Windows/macOS/Linux) to restart the source Google Compute Engine instance: 

gcloud compute instances start cc-production-instance
	--zone=us-central1-a

08 The command output should return the compute instances start request status: 

Starting instance(s) cc-production-instance...done.
	Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

09 Define the Customer-Supplied Encryption Key (CSEK) that you want to use for your VM instance disk encryption and save it to a JSON file named cc-csek-key.json. The CSEK definition file contains the fully-qualified URI to the resource that the key protects, the corresponding key, and the type of the key, either raw (non-RSA wrapped) or rsa-encrypted, as shown in the example below: 

[
	{
		"uri": "https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-encrypted-production-instance",
		"key": "abcdabcdabcdabcdbacdbacdbacdbacdbacdbacdbabcd",
		"key-type": "raw"
	}
]

10 Run the compute instances create command (Windows/macOS/Linux) to launch a new Google Compute Engine instance using the configuration information collected in step no. 2. For the --csek-key-file parameter, specify the Customer-Supplied Encryption Key (CSEK) definition file created in the previous step (i.e., cc-csek-key.json). (Optional) For additional (data) instance disks, include the --disk=name=\<data-disk-name\> parameter in the command request, where \<data-disk-name\> is the name of the data disk that you want to attach to the instance: 

gcloud compute instances create cc-encrypted-production-instance
	--project=cc-web-stack-project-123123
	--zone=us-central1-a
	--machine-type=n1-standard-8
	--image=projects/cc-web-stack-project-123123/global/images/cc-production-boot-disk-image
	--boot-disk-size=150GB
	--csek-key-file=cc-csek-key.json

11 The command output should return the information available for the new VM instance: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-encrypted-production-instance].
	NAME: cc-encrypted-production-instance
	ZONE: us-central1-a
	MACHINE_TYPE: n1-standard-8
	INTERNAL_IP: 10.128.0.60
	EXTERNAL_IP: xxx.xxx.xxx.xxx
	STATUS: RUNNING

12 Repeat steps no. 1 – 11 to enable encryption at rest with Customer-Supplied Encryption Keys (CSEKs) for each production VM instance provisioned within the selected GCP project.

13 Repeat steps no. 1 – 12 for each GCP project deployed in your Google Cloud account.

References

Publication date Nov 28, 2025

Related ComputeEngine rules