Encrypt a TPU VM boot disk with a customer-managed encryption key (CMEK)
By default, Cloud TPU encrypts customer content at rest. Cloud TPU handles encryption for you without any additional actions on your part. This option is called Google default encryption .
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Cloud TPU. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Cloud TPU resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK) .
To use a CMEK, you need to create a key ring
.
You must create your key ring in the same location as where you plan to create
your Cloud TPU. For example, a Cloud TPU in the us-central1-a
zone can
only use a key in the us-central1
region.
Next, create a key in your key ring. After creating a CMEK, you will need to grant the Compute Engine service account access to your key.
Grant permission to use the key
You must grant the Cloud KMS CryptoKey Encrypter/Decrypter
( roles/cloudkms.cryptoKeyEncrypterDecrypter
) IAM role on the
Cloud KMS key to the Compute Engine service agent
in your Google Cloud project. Granting this role allows the Compute Engine
service to access and use your encryption key.
To grant the roles/cloudkms.cryptoKeyEncrypterDecrypter
role to the
Compute Engine service agent, select one of the following options:
gcloud
Run the following command:
gcloud
kms
keys
add-iam-policy-binding
KEY_NAME
\
--location
LOCATION
\
--keyring
RING_NAME
\
--member
serviceAccount:service- PROJECT_NUMBER
@compute-system.iam.gserviceaccount.com
\
--role
roles/cloudkms.cryptoKeyEncrypterDecrypter
\
--project
KEY_PROJECT_ID
Replace the following:
-
KEY_NAME: the name of your key. -
LOCATION: the location where you created your key ring. -
RING_NAME: the name of your key ring. -
PROJECT_NUMBER: your Google Cloud project number. -
KEY_PROJECT_ID: your key project ID.
Console
- In the Google Cloud console, go to the Key management page.
-
Click the name of the key ring that contains the key.
-
Click the name of the key that you want to modify.
-
Click the Permissionstab.
-
Click Grant access. The Grant access to keypane opens.
-
In the New principalsfield, enter the name of the Compute Engine service agent:
service- PROJECT_NUMBER @compute-system.iam.gserviceaccount.comReplace
PROJECT_NUMBERwith your Google Cloud project number. -
In the Select a rolemenu, select Cloud KMS CryptoKey Encrypter/Decrypter.
-
Click Save.
Create a TPU VM with a CMEK
You can specify a CMEK when creating a TPU VM by using the TPU API or the Queued Resources API.
TPU API
To specify a CMEK when creating a TPU VM by using the Cloud TPU API, use the --boot-disk
argument to the tpu-vm create
command to specify the encryption
key to use:
gcloud
compute
tpus
tpu-vm
create
TPU_NAME
\
--zone
ZONE
\
--boot-disk
kms-key =
projects/ PROJECT_ID
/locations/ REGION
/keyRings/ RING_NAME
/cryptoKeys/ KEY_NAME
\
--version =
TPU_RUNTIME_VERSION
\
--accelerator-type =
ACCLERATOR_TYPE
Replace the following:
-
TPU_NAME: the name of your TPU VM. -
ZONE: the zone where you plan to create your Cloud TPU. -
PROJECT_ID: your Google Cloud project ID. -
REGION: the region where you created your key ring. -
RING_NAME: the name of your key ring. -
KEY_NAME: the name of your key. -
TPU_RUNTIME_VERSION: the Cloud TPU software version . -
ACCELERATOR_TYPE: the accelerator type for your Cloud TPU that you want to create. For more information about supported accelerator types for each TPU version, see TPU versions .
Queued Resources API
To specify a CMEK when creating a TPU VM by using the Queued Resources API, use
the --bootdisk
argument to the queued-resources create
command to specify
the encryption key to use:
gcloud
compute
tpus
queued-resources
create
QUEUED_RESOURCE_ID
\
--zone
ZONE
\
--node-id
NODE_ID
\
--boot-disk
kms-key =
projects/ PROJECT_ID
/locations/ REGION
/keyRings/ RING_NAME
/cryptoKeys/ KEY_NAME
\
--runtime-version =
TPU_RUNTIME_VERSION
\
--accelerator-type =
ACCLERATOR_TYPE
Replace the following:
-
QUEUED_RESOURCE_ID: the user-assigned ID of the queued resource request. -
ZONE: the zone where you plan to create your Cloud TPU. -
NODE_ID: the user-assigned ID of the Cloud TPU which is created when the queued resource request is allocated. -
PROJECT_ID: your Google Cloud project ID. -
REGION: the region where you created your key ring. -
RING_NAME: the name of your key ring. -
KEY_NAME: the name of your key. -
TPU_RUNTIME_VERSION: the Cloud TPU software version . -
ACCELERATOR_TYPE: the accelerator type for your Cloud TPU that you want to create. For more information about supported accelerator types for each TPU version, see TPU versions .
For information about creating TPU VMs with CMEKs by using GKE, see Use customer-managed encryption keys in the GKE documentation.
Deleted or revoked CMEKs
If a CMEK is revoked or deleted, any TPU VM that uses a boot disk encrypted with the deleted or revoked CMEK, won't be automatically shut down. The TPU VM will still be able to access data on the encrypted boot disk until the VM is shut down or restarted. This lets you recover your data if you restore access to a revoked or deleted key. If you re-enable a key, you can start or repair your TPU VM, and the boot disk will be successfully decrypted and loaded.
