Console
    Start free

    Troubleshooting disk encryption

    This page shows you how to resolve issues with disk encryption .

    Key rotation errors

    This section lists the errors that you might encounter when rotating a customer-managed encryption key (CMEK) and provides suggestions for how to fix them.

    CMEK rotation is not supported for non-CMEK protected disks

    The following error occurs when you try to rotate a CMEK on an unsupported resource:

    CMEK rotation is not supported for non-CMEK protected disks

    To resolve this issue, confirm that your resource is protected using Cloud Key Management Service .

    CMEK rotation is not supported for some Google Cloud Hyperdisk configurations

    The following error message occurs when you try to rotate or change the CMEK for an online Confidential Hyperdisk volume, or an online Hyperdisk volume that isn't attached to one of the supported machine types :

    CMEK Rotation is not supported for (confidential) Hyperdisk attached to machine type TYPE_X

    To workaround this issue, complete the following steps:

    1. Detach the disk
    2. Rotate or change the CMEK using the compute.disks.updateKmsKey method
    3. Re-attach the disk

    Disk is already using the primary kms key version

    The following warning message occurs when a disk or standard snapshot already uses the primary key version:

    WARNING: Some requests generated warnings:
 - Disk DISK_NAME 
is already using the primary kms key version KEY_VERSION 
.

    In this scenario, the API call will succeed but the key version won't update.

    This issue might occur due to a delay in the versioning update from KMS. To resolve this issue, re-attempt rotating the key at a later time.

    If the task fails but you don't see the previous error message, you can manually rotate your Cloud KMS using the following steps:

    1. Rotate your Cloud KMS key .
    2. Create a snapshot of the encrypted disk .
    3. Use the new snapshot to create a new disk with the key rotated in the preceding step.
    4. Replace the disk attached to your VM that uses the old encryption key.

    When you create the new disk, it uses the new key version for encryption. Any snapshots that you create from that disk use the latest primary key version.

    When you rotate a key using Cloud Key Management Service, data that was encrypted with previous key versions is not automatically re-encrypted. For more information, see Re-encrypting data . Rotating a key does not automatically disable or destroy an existing key version.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: