Integrate with Google Compute Engine

Access Google Compute Engine in the Google Cloud Platform Console

From Products & services, select Compute Engine.

Download the Google Compute Engine public key certificate

To protect the delivery of the customer-supplied encryption key, Google provide a public key in a certificate to wrap the generated key. The public key certificate is available at https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem.

We recommend confirming that this certificate is valid before use. See https://cloud.google.com/compute/docs/disks/customer-supplied-encryption for additional information.

Use cssadmin to generate, wrap and export a key

Using the downloaded public key certificate, call cssadmin as follows:

cssadmin google-compute-engine <key name> <wrapping key> <wrapping algorithm>

At the time of writing, only RSAES_OAEP_SHA_1 is supported.

Encrypt a disk with the wrapped key material

  1. From within Google Compute Engine, select Disks.

    1. Select CREATE DISK.

    2. Specify the details of the disk to be created.

  2. Under Encryption:

    1. Select Customer supplied.

    2. Check Wrapped key.

    3. Paste the contents of <key name>-wrapped.

    4. Select Create.

When the disk is created, it should be shown as ready for use, and Encryption as Customer supplied. The Google Compute Engine key is now ready for use.

At this point users have now extended trust to Google in terms of use of the key and its destruction.