Console
    Start free

    Use customer-managed encryption keys (CMEK)

    This page provides instructions for creating a Memorystore for Redis instance that uses customer-managed encryption keys (CMEK). It also provides instructions for managing instances that use CMEK. For more information about CMEK for Memorystore for Redis, see About customer-managed encryption keys (CMEK) .

    Before you begin

    1. Make sure that you have the Redis Admin role on your user account.

      Go to the IAM page

    Workflow to create an instance that uses CMEK

    1. Create a key ring and key in the location where you want the Memorystore for Redis instance to be.

    2. Copy or write down the key name ( KEY_NAME ), the location of the key, and the name of the key ring ( KEY_RING ). You need this information when granting the service account access to the key.

    3. Grant the Memorystore for Redis service account access to the key .

    4. Go to a project and create a Memorystore for Redis instance with CMEK enabled in the same region as the key ring and key.

    Your Memorystore for Redis instance is now enabled with CMEK.

    Create a key ring and key

    Create a key ring and key . Both must be in the same region as your Memorystore for Redis instance. The key can be from a different project, as long as the key is in the same region. Also, the key must use the symmetric encryption algorithm .

    After you create the key ring and key, copy or write down the KEY_NAME , the key location, and the KEY_RING . You need this information when you grant the service account access to the key.

    Before you can create a Memorystore for Redis instance that uses CMEK, you must grant a specific Memorystore for Redis service account access to the key. You can grant the service account access to the key by using the Google Cloud console or the Google Cloud CLI .

    To grant access to the service account, use the following format:

    service- PROJECT_NUMBER 
@cloud-redis.iam.gserviceaccount.com

    Console

    You grant the service account access to the key as part of the steps for creating a Memorystore for Redis instance that uses CMEK .

    gcloud

    To grant the service account access to the key, use the gcloud kms keys add-iam-policy-binding command. Replace VARIABLES with appropriate values.

    gcloud kms keys add-iam-policy-binding KEY_NAME 
\
--location= REGION_ID 
\
--keyring= KEY_RING 
\
--member=serviceAccount:service- PROJECT_NUMBER 
@cloud-redis.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

    Create a Memorystore for Redis instance that uses CMEK

    You can create an instance that uses CMEK by using the Google Cloud console or the gcloud CLI .

    Console

    1. Make sure that you create a key ring and key in the same region where you want to create your instance.

    2. Follow the instructions at Create a Redis instance on a VPC network until you reach the step for enabling a customer-managed encryption key, then return to these instructions.

    3. Select Use a customer-managed encryption key (CMEK).

    4. Use the dropdown menu to select your key.

    5. If the Memorystore service account has not been granted the permissions it needs, a text box appears saying:

      The service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key.

      • Click the Grantbutton to grant the role permission to the Memorystore service account.

    6. Finish selecting your desired configurations for your instance, and click the Createbutton to create your CMEK enabled Memorystore for Redis instance.

    gcloud

    To create an instance that uses customer-managed encryption keys enter the following command, replacing VARIABLES with appropriate values:

    gcloud redis instances create [INSTANCE_ID] 
\
--size= [SIZE] 
\
--region= [REGION_ID] 
\
--customer-managed-key=projects/ [PROJECT_NAME] 
/locations/ [REGION_ID] 
/keyRings/ [KEYRING_NAME] 
/cryptoKeys/ [KEY_NAME]

    View key information for a CMEK-enabled instance

    You can view key information for a CMEK-enabled instance by using the Google Cloud console or the gcloud CLI . This information includes whether CMEK is enabled for your instance and the active key.

    Console

    1. In the Google Cloud console, go to the Memorystore for Redis Instances page.

      Memorystore for Redis

    2. View the Instance details page for your instance by clicking your Instance ID .

    3. Click the Securitytab.

    4. The Encryption with a customer managed keysection contains a link to the active key, and shows the key reference path. If this section does not appear, CMEK is not enabled for your instance.

    gcloud

    To verify if CMEK is enabled, and to see the key reference, view the customerManagedKey field by running the following command:

    gcloud redis instances describe INSTANCE_ID 
\
--project= PROJECT 
\
--region= REGION

    Manage key versions

    For information about what happens when you disable, enable, destroy, or re-enable a key version, see Behavior of destroying/disabling a CMEK key version .

    For instructions on how to disable and re-enable key versions, see Enabling and disabling key versions .

    For instructions on how to disable and re-enable key versions, see Destroying and restoring key versions .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: