Enter a unique name in thenamefield for the CMEK policy.
Optional: Add a description in thedescriptionfield.
Select a region from theregionfield for the policy.
Select a Cloud KMS key from the following options:
Choose from the Cloud KMS keys from your project that
appear in the drop-down menu.
SelectSwitch projectif you want to look for a
Cloud KMS key in a different project. You needroles/cloudkms.viewerin the selected project to be able to browse
keys.
SelectEnter key manuallyif you want to enter a key manually.
This is helpful if you don't have permissions to look up the key you
intend to use.
Optional: Add a label in thelabelsfield.
ClickCreate.
Your CMEK policy appears on the CMEK policies page. The status of the
policy has anexclamationexclamation mark. The exclamation mark indicates that this policy needs
verification before it's usable. For more information, seeVerify key access.
gcloud
Use the following instructions to create a CMEK policy using the
Google Cloud CLI.
Run thekms-configscommand with the following parameters:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create a CMEK policy\n\nThis page provides instructions for how to create a customer-managed\nencryption key (CMEK) policy.\n\nCreate a CMEK policy\n--------------------\n\nUse the following instructions to create a CMEK policy using the\nGoogle Cloud console or Google Cloud CLI: \n\n### Console\n\n1. Go to the **NetApp Volumes** page in the Google Cloud console.\n\n [Go to NetApp Volumes](https://console.cloud.google.com/netapp/volumes)\n2. Select **CMEK policies**.\n\n3. Under **Create a CMEK policy** , click **Create**.\n\n4. Enter a unique name in the **name** field for the CMEK policy.\n\n5. Optional: Add a description in the **description** field.\n\n6. Select a region from the **region** field for the policy.\n\n7. Select a Cloud KMS key from the following options:\n\n - Choose from the Cloud KMS keys from your project that\n appear in the drop-down menu.\n\n - Select **Switch project** if you want to look for a\n Cloud KMS key in a different project. You need\n `roles/cloudkms.viewer` in the selected project to be able to browse\n keys.\n\n - Select **Enter key manually** if you want to enter a key manually.\n This is helpful if you don't have permissions to look up the key you\n intend to use.\n\n8. Optional: Add a label in the **labels** field.\n\n9. Click **Create**.\n\nYour CMEK policy appears on the CMEK policies page. The status of the\npolicy has an exclamation\nexclamation mark. The exclamation mark indicates that this policy needs\nverification before it's usable. For more information, see\n[Verify key access](/netapp/volumes/docs/configure-and-use/cmek/verify-key-access).\n\n### gcloud\n\nUse the following instructions to create a CMEK policy using the\nGoogle Cloud CLI.\n\n1. Run the `kms-configs` command with the following parameters:\n\n ```bash\n gcloud netapp kms-configs create CONFIG_NAME \\\n --project=PROJECT_ID \\\n --location=LOCATION \\\n --kms-project=KEY_RING_PROJECT \\\n --kms-location=KEY_RING_LOCATION \\\n --kms-keyring=KEY_RING \\\n --kms-key=KEY_NAME\n ```\n\nReplace the following information:\n\n- \u003cvar translate=\"no\"\u003eCONFIG_NAME\u003c/var\u003e: the name of the config to be created.\n This name must be unique per region.\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the name of the project you want to\n create the CMEK policy in.\n\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region of the config to be created\n in. Google Cloud NetApp Volumes only supports one config per region.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING_PROJECT\u003c/var\u003e: the project ID of the project\n hosting the KMS key ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING_LOCATION\u003c/var\u003e: the location of the KMS key\n ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_RING\u003c/var\u003e: the name of the KMS key ring.\n\n- \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the name of the KMS key.\n\nFor more options, see\n[Google Cloud SDK documentation for Cloud Key Management Service](/sdk/gcloud/reference/netapp/kms-configs).\n\nWhat's next\n-----------\n\n[Verify key access](/netapp/volumes/docs/configure-and-use/cmek/verify-key-access)."]]
