Customer-managed encryption keys (CMEK)
By default, Google Cloud automatically encrypts data when it is at restusing encryption keys managed by Google. If you have specific compliance orregulatory requirements related to the keys that protect your data, you canuse Customer-managed encryption keys (CMEK).
With CMEK, you can protect your Backup and DR data using a cryptographickey that you control through Cloud Key Management Service (Cloud Key Management Service). When you use CMEK,you manage the key in Cloud Key Management Service, and you can control who can access it bymanaging Identity and Access Management permissions on the key. If you temporarily disable orpermanently destroy the CMEK key, data protected by that key becomesinaccessible. For more information about CMEK in general, seeCustomer-managed encryption keys (CMEK).
Backup and DR uses CMEK to protect backup data stored in backup vaults.
How Backup and DR uses CMEK
Depending on the resource being backed up, Backup and DR uses CMEK keys toprotect backups as follows:
For Compute Engine instance backups stored in a backup vault:If one or more disks attached to a Compute Engine instance areCMEK-encrypted, Backup and DR requires that instance to be backed up to aCMEK-enabled backup vault.If all disks attached to the instance use Google-managed encryption, then inthe Google Cloud console, you must store backups in a non-CMEKbackup vault. However, if you use the Google Cloud CLI, API, orTerraform, you can configure backups for such an instance to be storedin a CMEK-enabled backup vault.
If a Compute Engine instance backup is stored in a CMEK-enabledbackup vault, its backup data is encrypted using thevault's Cloud Key Management Service key, regardless of the encryption status of theinstance's disks.
For Persistent Disk backups: Backup and DR preserves the encryption ofthe source disk by relying on the source workload's encryption. If thesource Persistent Disk is protected by CMEK, its backups are protected by thesame CMEK key. If the source Persistent Disk uses Google-managed encryption,its backups also use Google-managed encryption and must be stored in abackup vault that is not configured with CMEK.
The following table summarizes which encryption key is used for backups ofdifferent workload types:
| Workload | Encryption Key Used for Backup | CMEK Support Status |
|---|---|---|
| Compute Engine instance | Backup vault CMEK key | Supported |
| Compute Engine disk | Source disk's encryption key | Supported |
| Cloud SQL | - | Not supported |
| AlloyDB cluster | - | Not supported |
| Filestore instance | - | Not supported |
| Google Cloud VMware Engine, Oracle database, and SQL Server database | - | Not supported |
Limitations
Backup and DR support for CMEK has the following limitations:
- CMEK protection is only supported for Compute Engine instance and Persistent Disk backups stored in backup vaults.
- You can configure CMEK on a backup vault only at creation time. You cannot enable, disable, or change CMEK on an existing backup vault.
- The Cloud Key Management Service key must be in the same location as the backup vault.A backup vault in a region must use a key from the same region.A multi-regional backup vault must use a key from the samemulti-region.
- Backup and DR doesn't support customer-supplied encryption keys(CSEK).
- The default backup vault and default backup plan use Google-managedencryption. To use CMEK, you must create a new backup vault andexplicitly enable CMEK.
Before you begin
Before you begin using CMEK, complete the following steps:
Enable the Cloud Key Management Service API in the project that will store your CMEK keys.
Create a Cloud Key Management Service key ring and key. Whencreating your key, ensure that you select a location that matches thelocation of your backup vault. A backup vault in aregion must use a key from the same region. A multi-regionalbackup vault must use a key from the same multi-region.
If not already created, create the Backup and DR service agent.The service agent is automatically created after the first Backup and DR resource (backup vault, Google Cloud console, etc.)is created in a project. If you need to grant permissions to the serviceagent before creating a backup vault, you can trigger its creationwith the following command:
gcloud beta services identity create --service=backupdr.googleapis.com --project=PROJECT_ID
PROJECT_IDwith the ID of your project.
Grant permissions for CMEK
For Backup and DR to protect backups using CMEK, or to back upCMEK-protected resources, you need to grant IAM roles to specific serviceagents.
Grant permission to use vault CMEK key
When you configure CMEK for a backup vault, Backup and DR needspermission to use your CMEK key to encrypt and decrypt data. This permissionmust be granted to theBackup and DR service agent.
It's important to distinguish between two different service accounts used byBackup and DR:
- Backup and DR service agent: This is a project-level serviceaccount used for managing Backup and DR resources and for accessingCloud Key Management Service keys when a backup vault is configured with CMEK. Thisis the service agent that requires the
roles/cloudkms.cryptoKeyEncrypterDecrypterrole on the CMEK key. - Backup vault service account: This is a unique, per-vault serviceaccount that you grant permissions to access and back up source workloads(such as Compute Engine instances). This service account isnot usedfor CMEK encryption of data within the backup vault.
To use CMEK with Backup and DR, you must grant theCloud KMS CryptoKey Encrypter/Decrypter role(roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Backup and DRservice agent. This service agent is a service account that Backup and DRuses to access resources on your behalf, including accessing yourCloud Key Management Service key during encryption and decryption operations.
The Backup and DR service agent is named in the following format:
service-VAULT_PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com
ReplaceVAULT_PROJECT_NUMBER with the project number of theproject containing your backup vault.
You can grant this role at the time of backup vault creation usingthe Google Cloud console if you have permissions to grant IAM roles, or you cangrant it ahead of time using thegcloud kms keys add-iam-policy-bindingcommand:
gcloud kms keys add-iam-policy-bindingKEY_NAME \ --location=KMS_LOCATION \ --keyring=KEY_RING \ --member=serviceAccount:service-VAULT_PROJECT_NUMBER@gcp-sa-backupdr.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
You can grant this role on a specific key as shown in the example, or youcan grant it at the key ring or project level. Granting permissions at thekey level provides the most granular control and is recommended for theprinciple of least privilege. Granting permissions at the project or keyring level is more convenient if you intend for Backup and DR to usemultiple keys within that scope, but it grants broader permissions.
Grant permission to back up CMEK-protected resources
If you are backing up a resource that is itself encrypted with a differentCMEK key, such as a Compute Engine instance with CMEK-encrypted disks,additional permissions are required. The service agent of the sourceresource's service needs permission to use the key(s) protecting the sourceresource. For example, to back up a CMEK-encrypted Compute Engine instance,theCompute Engine Service Agent of the source instance's project must havetheroles/cloudkms.cryptoKeyEncrypterDecrypter role on the Cloud Key Management Servicekey(s) used to encrypt the instance's disks. In most cases, this permission isalready in place for the source workload to be operational.
Use CMEK with Backup and DR
This section describes the workflow for protecting backups using CMEK.
1. Create a CMEK-enabled backup vault
Whencreating a backup vault,select theCustomer-managed encryption key (CMEK) option in theEncryption section and choose the Cloud Key Management Service key you created.You can only enable CMEK during vault creation; it cannot be enabled,disabled, or changed on an existing vault.
2. Create a backup plan
Whencreating a backup plan,select the CMEK-enabled backup vault that you created in theprevious step as the target backup vault for the backups.
3. Apply the backup plan to resources
When you apply a backup plan to a resource, you must ensure that thebackup plan targets a backup vault that is compatible with theresource's encryption configuration:
- If you are backing up a Compute Engine instance that has one or moreCMEK-encrypted disks attached, you must use a backup plan that targets aCMEK-enabled backup vault.
- If you are backing up a Compute Engine instance where all attached disksuse Google-managed encryption:
- If you are assigning the backup plan using the Google Cloud console, youmust use a backup plan that targets a non-CMEK backup vault.
- If you are assigning the backup plan using the gcloud CLI, API, orTerraform, you can choose a backup plan that targets a CMEK-enabledbackup vault. If you do, the instance's backups will beencrypted with the backup vault's CMEK key.
- If you are backing up a Persistent Disk that uses Google-managed encryption,you must use a backup plan that targets a non-CMEK backup vault.
Ensure you have granted the required KMS permissions as detailed inGrant permissions for CMEK for backups to run successfully.
Cloud Key Management Service key rotation and backup restorability
Backup and DR supports Cloud Key Management Service key rotation. When you rotate a key,Cloud Key Management Service creates a new key version, which becomes the primary version.Backup and DR uses the primary key version to encrypt all new backups forbackup vaults configured with that key.
Existing backups are not re-encrypted, and remain encrypted withthe key version they were created with. To restore a backup, the key versionused to encrypt it must be available in Cloud Key Management Service. If you disable ordestroy a key version, any backups encrypted with that version becomeinaccessible. To ensure restorability of your backups,don't disable or destroy key versions that are still in use by backups youmight need to restore.
If Backup and DR cannot access your CMEK key for any reason (for example, ifthe key version required for encryption or decryption is disabled or destroyed,or if IAM permissions on the key are revoked from theBackup and DR service agent), you may experience the following:
- New backups to CMEK-enabled backup vaults will fail if the primarykey version is inaccessible.
- Restores from backup vaults will fail if the specific key versionthat was used to encrypt the backup is inaccessible.
- You won't be able to create new backup vaults that use aninaccessible key.
If you have disabled a key version that was used for backups, re-enabling itrestores access to backups encrypted with that version. If you destroy a keyversion, any backups encrypted with that key version are permanently lost andcannot be restored.
Pricing
Backup and DR does not charge any additional fees for using CMEK. However,you are charged for the use of your keys in Cloud Key Management Service. For moreinformation, seeCloud Key Management Service pricing.
What's next
- Learn how toCreate and manage backup vaults.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.