Use customer-managed encryption keys (CMEK)
This page describes how to set up a service account and keys forcustomer-managed encryption keys, and how to create an instance that uses amanually-created customer-managed encryption key. To learn more about usingcustomer-managed encryption keys with Cloud SQL, seeOverview ofcustomer-managed encryption keys.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Install thegcloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Toinitialize the gcloud CLI, run the following command:
gcloudinit
- Make sure you have the Cloud SQL Admin role on your user account.
Enable the Cloud Key Management Service API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.Enable the Cloud SQL Admin API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
Workflow for creating a Cloud SQL instance with CMEK
- gcloud and API users only:Create a service accountfor each project that requires customer-managed encryption keys.
- Create a keyring and key, and set the location for each key. Thelocation is the Google Cloud region.
- gcloud and API users only:Grant the service account access to the key.
- Make a note of the key ID (KMS_KEY_ID), key location (GCP_REGION), andkeyring ID (KMS_KEYRING_ID).
- Go to a project andcreate a Cloud SQL instancewith the following options:
- The same location as the customer-managed encryption key
- The customer-managed key configuration
- The customer-managed encryption key ID
Your Cloud SQL instance is now enabled with CMEK.
Create a service account
You need to create a service account for each project that requirescustomer-managed encryption keys.
To allow a user to manage service accounts, grant one of the following roles:
- Service Account User (
roles/iam.serviceAccountUser): Includes permissionsto list service accounts, get details about a service account, andimpersonate a service account. - Service Account Admin (
roles/iam.serviceAccountAdmin): Includespermissions to list service accounts and get details about a serviceaccount. Also includes permissions to create, update, and delete serviceaccounts, and to view or change the Cloud SQL for SQL Server policy on aservice account.
Currently, you can only usegcloud CLI commands to create the type ofservice account you need for customer-managed encryption keys. If you are usingthe Console, Cloud SQL automatically creates this service account for you.
gcloud
gcloudbetaservicesidentitycreate\--service=sqladmin.googleapis.com\--project=PROJECT_ID
Terraform
To create a service account, use aTerraform resource.
resource "google_project_service_identity" "gcp_sa_cloud_sql" { provider = google-beta service = "sqladmin.googleapis.com"}Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (alsocalled aroot module).
- InCloud Shell, create a directory and a new file within that directory. The filename must have the
.tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdirDIRECTORY && cdDIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created
main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the
-upgradeoption:terraform init -upgrade
Apply the changes
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
- Apply the Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Wait until Terraform displays the "Apply complete!" message.
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
The previous command returns a service account name.You use this service account name during the procedure inGranting the service account access to the key.
Create a key
Note: You can use an externally managed key with CMEK using theCloud EKM service tomake the key available through Cloud KMS.You can create the key in the same Google Cloud project as the Cloud SQLinstance or in a separate user project. The Cloud KMS key ring locationmust match the region where you want to create Cloud SQL instance. Amulti-region or global region keywill not work. The Cloud SQLinstance create request fails if the regions don't match.
Warning: Never delete the primary key versionthat you initially use when you create your instance. You can't restore thebackup for the instance if the key version that was originally used when theinstance was created is destroyed. Even when the key version is rotated, theoriginal key version must be maintained. If it is destroyed, it can't bere-created.Note: Sometimes, a Cloud SQL instance enabled with CMEK has the Cloud KMS key hosted in a different cloud project. For this scenario, when you enable VPC-SC, you must add the KMS key hosting project to the security perimeter.Note: Cloud KMS usage is subject to aquota. GKE calls theCloud KMS API every time it performs a cryptographic operation. Confirmthat you have enough quota to enable application-layer secrets encryption foryour application.To create a Cloud KMS key:
Console
In the Google Cloud console, go to theKey management page.
- ClickCreate key ring.
- Add aKey ring name. Note this name because you need it when granting the service account access to the key.
- Add aKey ring location.
- ClickCreate. TheCreate key page opens.
- Add aKey name.
- ForPurpose, selectSymmetric encrypt/decrypt.
- Select aRotation period andStarting on date.
- ClickCreate.
- On theKeys table, click the three dots in the last column, and selectCopy Resource ID or write it down. This is the KMS_KEY_ID. You need the KMS_KEY_ID when granting the key access to the service account.
gcloud
- Create a new key ring.
gcloudkmskeyringscreateKMS_KEYRING_ID\--location=GCP_REGION
- Create a key on the key ring.
gcloudkmskeyscreateKMS_KEY_ID\--location=GCP_REGION\--keyring=KMS_KEYRING_ID\--purpose=encryption
Terraform
To create a keyring, use aTerraform resource.
resource "google_kms_key_ring" "keyring" { provider = google-beta name = "keyring-name" location = "us-central1"}To create a key, use aTerraform resource.
resource "google_kms_crypto_key" "key" { provider = google-beta name = "crypto-key-name" key_ring = google_kms_key_ring.keyring.id purpose = "ENCRYPT_DECRYPT"}Apply the Terraform configuration:
terraform apply
Grant the service account access to the key
When creating the Cloud SQL instance with CMEK, you only need to performthis procedure if you are using gcloud or the API. You can perform thisprocedure if you run into permission issues after the instance is created.
To grant the service account access:
Console
In the Google Cloud console, go to theKey management page.
- To select the project hosting the key, use the project selector.
- Click the name of the key ring.
- Click the name of the key.
- Click thePermissions tab.
- To open the panel, clickGrant access.
- Enter the service account as the principal and select "Cloud KMS CryptoKey Encrypter/Decrypter" as the role.
- ClickSave.
Alternatively, you can also grant it in the project IAM page.
gcloud
gcloudkmskeysadd-iam-policy-bindingKMS_KEY_ID\--location=GCP_REGION\--keyring=KMS_KEYRING_ID\--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloud-sql.iam.gserviceaccount.com\--role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Terraform
To grant access to the key, use aTerraform resource.
resource "google_kms_crypto_key_iam_binding" "crypto_key" { provider = google-beta crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" members = [ "serviceAccount:${google_project_service_identity.gcp_sa_cloud_sql.email}", ]}Apply the Terraform configuration:
terraform apply
Create a Cloud SQL instance with CMEK
Note: You can't enable customer-managed encryption keys on existing instances.To create an instance with customer-managed encryption keys:
Console
In the Google Cloud console, go to theCloud SQL Instances page.
- ClickCreate instance.
- Choose the database engine.
- Enter a name for the instance. Do not include sensitive or personally identifiable information in your instance name; it is externally visible. You do not need to include the project ID in the instance name. This is created automatically where appropriate (for example, in the log files).
- Enter the password for the
'root'@'%'user. - Set the region for your instance. Place your instance in the same region as the resources that access it. In most cases, you don't need to specify a zone.
- In theConfiguration options section, select all your configurations options until you reachMachine type and storage.
- ExpandMachine type and storage.
- In theEncryption section, selectCustomer-managed key.
- Select the KMS key from the dropdown menu or manually enter the KMS_KEY_ID. Only KMS keys in the same project and region as the instance are displayed. The primary key version of the key is used, so if a key version is provided in the key name, then it's trimmed. To choose a KMS key belonging to a different project but in the same region, selectDon't see your key? Enter key resource ID and enter the KMS_KEY_ID captured earlier.
- If the service account does not have permission to encrypt/decrypt with the selected key, a message displays. If this happens, clickGrant to grant the service account the
roles/cloudkms.cryptoKeyEncrypterDecrypter>IAM role on the selected KMS key. - Once the configuration options are selected, clickCreate.
- You see a message explaining the implications of using customer-managed encryption key. Read and acknowledge it to proceed further with instance creation.
gcloud
gcloudsqlinstancescreateINSTANCE_NAME\--project=PROJECT_ID\--disk-encryption-key=KMS_KEY_ID\--database-version=VERSION\--cpu=NUMBER_CPUS\--memory=MEMORY_SIZE\--region=REGION\--root-password=INSERT-PASSWORD-HERE
Terraform
To create an instance with CMEK, use aTerraform resource.
resource "google_sql_database_instance" "default" { name = "sqlserver-instance-cmek" provider = google-beta region = "us-central1" database_version = "SQLSERVER_2019_STANDARD" root_password = "INSERT-PASSWORD-HERE " encryption_key_name = google_kms_crypto_key.key.id settings { tier = "db-custom-2-7680" }}Delete the changes
To delete your changes, do the following:
- To disable deletion protection, in your Terraform configuration file set the
deletion_protectionargument tofalse.deletion_protection = "false"
- Apply the updated Terraform configuration by running the following command and entering
yesat the prompt:terraform apply
Remove resources previously applied with your Terraform configuration by running the following command and entering
yesat the prompt:terraform destroy
REST v1
To create an instance with customer-managed encryption keys, passdiskEncryptionConfiguration to the command.Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- region: The region
- database-version: Emum version string (for example, SQLSERVER_2017_STANDARD)
- kms-resource-id: The ID you received from creating a key.
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances
Request JSON body:
{ "name":"instance-id", "region":"region", "databaseVersion": "database-version", "diskEncryptionConfiguration" : { "kmsKeyName" : "kms-resource-id" }, "settings": { "backupConfiguration": { "enabled":true } }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-16T02:32:12.281Z", "operationType": "UPDATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id", "targetProject": "project-id"}REST v1beta4
To create an instance with customer-managed encryption keys, passdiskEncryptionConfiguration to the command.Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- region: The region
- database-version: Emum version string (for example, SQLSERVER_2017_STANDARD)
- kms-resource-id: The ID you received from creating a key.
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances
Request JSON body:
{ "name":"instance-id", "region":"region", "databaseVersion": "database-version", "diskEncryptionConfiguration" : { "kmsKeyName" : "kms-resource-id" }, "settings": { "backupConfiguration": { "enabled":true } }}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances", "status": "PENDING", "user": "user@example.com", "insertTime": "2020-01-16T02:32:12.281Z", "operationType": "UPDATE", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id", "targetProject": "project-id"}Create a backup for a CMEK-enabled instance
When you create a backup of a Cloud SQL instance, the backup is encryptedwith the same primary key version as the primary instance's customer-managedkey. If your instance uses a CMEK created byCloud KMSAutokey, the backup still uses the same key as theprimary instance; Autokey doesn't create keys for backups.
SeeCreating and managing on-demand and automatic backups.
You will see a message on theCreate a backup form that says: "Your backupwill be encrypted with the primary version of this instance's customer-managedencryption key. If anyone destroys or disables this key version, all backup dataencrypted using that key version will be permanently lost. You can check theprimary version for the key in Cloud KMS."
On the backups page, the list of backups enabled with customer-managedencryption keys have two extra columns. One column that shows that the backup isfor a CMEK-enabled instance, and a column that displays the key version used toencrypt the backup.
View key information for a CMEK-enabled instance
Once you successfully create a Cloud SQL instance, you can look at theinstance list or the instance overview page to see that it was created using acustomer-managed encryption key. The details also show the key that was used tocreate the instance.
In the Google Cloud console, go to theCloud SQL Instances page.
- In the Instances list, scroll to the right until you see theEncryptioncolumn. In this column, you seeGoogle-managed andCustomer-managed.
- Click an instance name to open itsOverview page. The customer-managedencryption key is listed in theConfiguration pane.
Re-encrypt an existing CMEK-enabled instance or replica
You can re-encrypt your existing Cloud SQL instances and replicaswith the latest primary key version. For more information aboutre-encrypting your existing CMEK-enabled instance or replica, seeAbout keys.
Note: Until re-encryption is completed, don't disable or destroy the existingkey versions.Obtain the new primary key version
To re-encrypt your instance or replica with a new version, you'll need the new primary key version.If you need a new key version for your instances, you'll need to rotate your keyusing Cloud Key Management Service. To rotate your primary key,seeRotate a key.
After your key rotation is complete, wait for the primary key change to be propagatedbefore you re-encrypt your instances. If your key version change isn'tconsistent, your instance will continue to use the old key versionafter re-encryption. For more information, seeConsistency of key versions.
Re-encrypt your CMEK-enabled instance
After key rotation is complete, re-encrypt your existing CMEK-enabledinstance or replica.
Note: If your new key version isn't consistent across Cloud SQL,the instance continues using the old key version after re-encryption.Console
In the Google Cloud console, go to theCloud SQL Instances page.
- To open theOverview page of an instance, click the instance name.
- In theConfiguration section, clickRe-encrypt instance.
- In the dialog that appears, confirm your selection by clickingRe-encrypt.
gcloud
To re-encrypt the instance or replica, run the following command:
gcloudsqlinstancesreencryptINSTANCE_NAME
INSTANCE_NAME with name of the instance or replicayou are re-encrypting.REST v1
To re-encrypt your instance or replica with your new key, run the following command:
POSThttps://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt
Before using any of the request data, make the following replacements:
- PROJECT_ID: The project ID
- INSTANCE_ID: The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2023-06-28T21:19:09.503Z", "operationType": "REENCRYPT", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id", "targetProject": "project-id"}REST v1beta4
To re-encrypt your instance or replica with your new key, run the following command:POSThttps://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt
Before using any of the request data, make the following replacements:
- PROJECT_ID: The project ID
- INSTANCE_ID: The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/reencrypt" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "sql#operation", "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id", "status": "PENDING", "user": "user@example.com", "insertTime": "2023-06-28T21:22:13.663Z", "operationType": "REENCRYPT", "name": "operation-id", "targetId": "instance-id", "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id", "targetProject": "project-id"}Automatic re-encryption backups
When you re-encrypt a primary instance with a new primary key version,Cloud SQL automatically creates an on-demand backup calledthe re-encryption backup.
In yourlist of backups foryour Cloud SQL instance, the re-encryption backup is listed as typeon-demandand labeled withbackup created automatically for data before CMEK re-encryption.
As with other on-demand backups, re-encryption backups persist until you delete them or delete the instance.
Re-encryption limitations
When you re-encrypt an instance, keep note of the following limitations:
- You can't perform any other admin operations on the instance while the re-encryption operation is going on.
- The re-encryption operation triggers a downtime that depends on the instance or replica size.
- Replicas of an instance aren't re-encrypted when an instance is en-encrypted. You need to re-encrypt each replica separately.
- Backups aren't automatically re-encrypted with the new key version when you re-encrypt your instance. To restore the backup or point-in-time-recovery to a time after the backup is taken, you'll need to keep the Cloud KMS key version the backup is encrypted with.
- Backups created after the Cloud KMS key that the instance is encrypted with is rotated will use the primary key version of that key automatically, even if the instance isn't encrypted with this key version.
For troubleshooting, see theRe-encryption troubleshooting table.
Use Cloud External Key Manager (Cloud EKM)
To protect data in Cloud SQL instances, you can use keys that you managewithin a supported external key management partner. For more information, seeCloud External Key Manager, including theConsiderations section.
When you are ready to create a Cloud EKM key, seeManaging Cloud EKM keys. After a key iscreated, provide the key name when you create a Cloud SQL instance.
You can use Key Access Justifications (KAJ) as part of Cloud EKM. KAJ enablesyou to view the reason for each Cloud EKM request. Additionally, based on thejustification provided, you can automatically approve or deny a request. Tolearn more, see theOverview.
Thus, KAJ provides extra control over your data by providing a justification foreach attempt to decrypt the data.
Google lacks control over the availability of keys in an external keymanagement partner system.
Warning: If an external key is deleted or cannotbe recovered, any Cloud SQL instances encrypted with that key become permanentlyinaccessible.Disable and re-enable key versions
See the following topics:
Troubleshoot
This section describes things to try when you get an error message while settingup or using CMEK-enabled instances.
Cloud SQL administrator operations, such as create, clone, or update, might fail due to Cloud KMS errors, and missing roles or permissions. Common reasons for failure include a missing Cloud KMS key version, a disabled or destroyed Cloud KMS key version, insufficient IAM permissions to access the Cloud KMS key version, or the Cloud KMS key version is in a different region than the Cloud SQL instance. Use the following troubleshooting table to diagnose and resolve common problems.
Customer-managed encryption keys troubleshooting table
| For this error... | The issue might be... | Try this... |
|---|---|---|
| Per-product, per-project service account not found | The service account name is incorrect. | Make sure you created a service account for the correct user project. |
| Cannot grant access to the service account | The user account does not have permission to grant access to this key version. | Add theOrganization Administrator role to your user or service account. |
| Cloud KMS key version is destroyed | The key version is destroyed. | If the key version is destroyed, you cannot use it to encrypt or decrypt data. |
| Cloud KMS key version is disabled | The key version is disabled. | Re-enable the Cloud KMS key version. |
| Insufficient permission to use the Cloud KMS key | Thecloudkms.cryptoKeyEncrypterDecrypter role is missing on the user or service account you are using to run operations on Cloud SQL instances, or the Cloud KMS key version doesn't exist. | In the Google Cloud project that hosts the key, add thecloudkms.cryptoKeyEncrypterDecrypter role to your user or service account.If the role is already granted to your account, seeCreating a key to learn how to create a new key version. See note. |
| Cloud KMS key is not found | The key version does not exist. | Create a new key version. SeeCreating a key. See note. |
| EKM key is unreachable | The External Key Manager (EKM) key is unreachable for several hours. Even after multiple retries, the EKM key remains unreachable. | Verify EKM connection status and troubleshoot the issue with your EKM provider. |
| Cloud SQL instance and Cloud KMS key version are in different regions | The Cloud KMS key version and Cloud SQL instance must be in the same region. It does not work if the Cloud KMS key version is in a global region or multi-region. | Create a key version in the same region where you want to create instances. SeeCreating a key. See note. |
| Cloud KMS key version is restored but instance is still suspended | The key version is disabled or doesn't grant proper permissions. | Re-enable the key version, and grant thecloudkms.cryptoKeyEncrypterDecrypter role to your user or service account in the Google Cloud project that hosts the key. |
create operation, you must delete it, add the role to the account you are using, and create a new instance with an active Cloud KMS key version.Re-encryption troubleshooting table
| For this error... | The issue might be... | Try this... |
|---|---|---|
| CMEK resource re-encryption failed because the Cloud KMS key is inaccessible. Please ensure that the primary key version is enabled and the permission is granted properly. | The key version is disabled or doesn't grant proper permissions. | Re-enable the Cloud KMS key version: In the Google Cloud project that hosts the key, confirm the |
| CMEK resource re-encryption failed due to server internal error. Please retry later | There is a server internal error. | Retry re-encryption. For more information, seeRe-encrypt an existing CMEK-enabled instance or replica |
What's next
- Configure access to the instance.
- Connect to the instance with a client.
- Create a database on the instance.
- Import data into the instance.
- Create users on the instance.
- Learn more about instance settings.
- Learn how to addkey access justifications to your keys.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.