Console
    Start free

    Use customer-managed encryption keys (CMEK)

    By using customer-managed encryption keys (CMEK), you have control over your keys. This gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud Key Management Service (KMS) .

    Before you begin

    1. Make sure that you have the Redis Admin role on your user account.

      Go to the IAM page

    Workflow to create a cluster that uses CMEK

    1. Create a key ring and key in the location where you want the cluster in Memorystore for Redis Cluster to be.

    2. Copy or write down the key name ( KEY_NAME ), the location of the key, and the name of the key ring ( KEY_RING ). You need this information when granting the service account access to the key.

    3. Grant the Memorystore for Redis Cluster service account access to the key .

    4. Go to a project and create a cluster in Memorystore for Redis Cluster with CMEK enabled in the same region as the key ring and key.

    Your cluster is now enabled with CMEK.

    Create a key ring and key

    Create a key ring and key . Both must be in the same region as your cluster in Memorystore for Redis Cluster. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithm .

    After you create the key ring and key, copy or write down the KEY_NAME , the key location, and the KEY_RING . You need this information when you grant the service account access to the key.

    Before you can create a cluster in Memorystore for Redis Cluster that uses CMEK, you must grant a specific Memorystore for Redis Cluster service account access to the key.

    You can grant the service account access to the key by using the gcloud CLI . To grant access to the service account, use the following format:

    service- PROJECT_NUMBER 
@cloud-redis.iam.gserviceaccount.com

    gcloud

    To grant the service account access to the key, use the gcloud kms keys add-iam-policy-binding command.

    gcloud kms keys add-iam-policy-binding  \
projects/ PROJECT_ID 
/locations/ REGION_ID 
/keyRings/ KEY_RING 
/cryptoKeys/ KEY_NAME 
\
--member=serviceAccount:service- PROJECT_NUMBER 
@cloud-redis.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

    Make the following replacements:

    • PROJECT_ID : the ID or number of the project that contains the key ring
    • REGION_ID : the region where the key ring is located
    • KEY_RING : the name of the key ring that contains the key
    • KEY_NAME : the name of the key that you're granting access to the service account
    • PROJECT_NUMBER : the ID or number of the project that contains the service account

    Create a cluster that uses CMEK

    You can create a cluster that uses CMEK by using the gcloud CLI .

    gcloud

    To create a cluster that uses CMEK, use the gcloud redis clusters create command.

    gcloud redis clusters create CLUSTER_ID 
\
--project= PROJECT_NAME 
\
--region= REGION_ID 
\
--network= NETWORK_ID 
\
--kms-key=projects/ PROJECT_NAME 
/locations/ REGION_ID 
/keyRings/ KEY_RING 
/cryptoKeys/ KEY_NAME 
\
--shard-count= SHARD_NUMBER 
\
--persistence-mode= PERSISTENCE_MODE

    Make the following replacements:

    • CLUSTER_ID : the ID of the cluster that you're creating.
    • PROJECT_NAME : the name of the project where you want to create the cluster.
    • REGION_ID : the ID of the region where you want the cluster to be located.
    • NETWORK_ID : the ID of the network that you want to use to create the cluster.
    • KEY_RING : the name of the key ring that contains the key.
    • KEY_NAME : the name of the key.
    • SHARD_NUMBER : the number of shards that you want to have for the cluster.
    • PERSISTENCE_MODE : the persistence mode for the cluster. You can set this mode to one of the following values:
      • aof : you enable Append-Only File (AOF)-based persistence for the cluster.
      • disabled : you deactivate persistence for the cluster.
      • rdb : you enable Redis Database (RDB)-based persistence for the cluster.

    View key information for a CMEK-enabled cluster

    You can view information about your CMEK-enabled cluster by using the gcloud CLI . This information includes whether CMEK is enabled for your cluster and the active key.

    gcloud

    To verify if CMEK is enabled and to see the key reference, use the gcloud redis clusters describe command to view the encryptionInfo and kmsKey fields.

    gcloud redis clusters describe CLUSTER_ID 
\
--project= PROJECT_NAME 
\
--region= REGION_ID

    Make the following replacements:

    • CLUSTER_ID : the ID of the cluster about which you want to view information
    • PROJECT_NAME : the name of the project that contains the cluster
    • REGION_ID : the ID of the region where the cluster is located

    Manage key versions

    For information about what happens when you disable, destroy, rotate, enable, and restore a key version, see Behavior of a CMEK key version .

    For instructions on how to disable and re-enable key versions, see Enable and disable key versions .

    For instructions on how to destroy and restore key versions, see Destroy and restore key versions .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: