This document discusses how to encryptdisks withcustomer-supplied encryption keys.

For information about disk encryption, seeAbout disk encryption.

For information about encrypting disks with customer-managed encryption keys (CMEK)seeProtect resources by using Cloud KMS keys.

Using CSEKs means you provide your own encryption keys and Compute Engine usesyour keys to protect the Google-owned and Google-managed encryption keys used to encrypt and decryptyour data. Only users who can provide the correct key can use resourcesprotected by a customer-supplied encryption key (CSEK).

Google does not store your keys on its servers and cannot access yourprotected data unless you provide the key. This also means that if youforget or lose your key,there is no way for Google to recover the key or torecover any data encrypted with the lost key.

When you delete a Persistent Disk volume, Google discards the cipher keys,rendering the data irretrievable. This process is irreversible.

Before you begin

• Read aboutdisks,images,anddisk snapshots.
• If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  1. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

     gcloudinit

     If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

     Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.
  2. Set a default region and zone.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up authentication for a local development environment.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

Restrictions

For CSEK, the following restrictions apply:

General restrictions

Availability of customer-supplied encryption keys depends on the location ofyour billing account, not the location of the resource.

Customer-supplied encryption keys are not available for billing accounts thatare in the following countries:

• Brazil
• India

Technical restrictions

• You can only encrypt new persistent disks with your own key. Youcan't encrypt existing persistent disks with your own key.

• You can't use your own keys withLocal SSD disksbecause Local SSD disks use Google-owned and Google-managed encryption keys.The keys are deleted when the VM is terminated.

• Compute Engine does not store encryption keys withinstance templates, so you need to storeyour own keys inKMS to encrypt disks in amanaged instance group.

• You can't suspend instances that have CSEK-protected disks attached.

Specifications

This section describes the encryption specification and the format of CSEK.

Encryption

Compute Engine uses your encryption key to protect Google'sencryption keys with AES-256 encryption.

Required key format

It is up to you to generate and manage your key. You must provide a key that isa 256-bit string encoded inRFC 4648 standard base64 to Compute Engine.

The following is an example of a base64 encoded key, generated with the string"Hello from Google Cloud Platform"

SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=

It can be generated using the following script:

read -sp "String:" ; \    [[ ${#REPLY} == 32 ]] && \        echo "$(echo -n "$REPLY" | base64)" || \        (>&2 echo -e "\nERROR:Wrong Size"; false)

RSA key wrapping

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

In addition to encoding your key in base64, you can optionally wrapyour key using an RSA public key certificate provided by Google, encode the keyin base64, and then use that key in your requests.

RSA wrapping is a process in which you use a public key to encrypt your data.After that data has been encrypted with the public key, it can only bedecrypted by the respective private key. In this case, the private key is knownonly to Google Cloud services. By wrapping your key using the RSAcertificate, you ensure that only Google Cloud services can unwrap yourkey and use it to protect your data.

For more information, seeRSA encryption.

To create an RSA-wrapped key for Compute Engine, do the following:

1. Wrap your key using the public key provided in a certificate thatCompute Engine manages.Make sure to wrap your key using OAEPpadding, not PKCS #1 v1.5 padding.
2. Encode your RSA-wrapped key using standard base64 encoding.

Download the public certificate maintained by Compute Engine from:

https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

There are many ways of generate and RSA-wrap your key; use a method that isfamiliar to you. The following are two examples of RSA-wrapping your key thatyou could use.

Example 1

The following instructions use theopenssl command-line utility to RSA-wrap and encode a key.

1. Optional: Generate a 256-bit (32-byte) random key. If you already havea key you want to use, you can skip this step. There are many ways you cangenerate a key. For example:

   $head -c 32 /dev/urandom | LC_CTYPE=C tr '\n' = > mykey.txt

2. Download thepublic key certificate:

   $ curl -s -O -L https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem

3. Extract the public key from the certificate:

   $openssl x509 -pubkey -noout -in google-cloud-csek-ingress.pem > pubkey.pem

4. RSA-wrap your key, making sure to replacemykey.txt with your own key file.

   $openssl rsautl -oaep -encrypt -pubin -inkey pubkey.pem -in mykey.txt -out rsawrappedkey.txt

5. Encode your RSA-wrapped key in base64.

   $openssl enc -base64 -in rsawrappedkey.txt | tr -d '\n' | sed -e '$a\' > rsawrapencodedkey.txt

Example 2

The following is sample Python script that generates a 256-bit (32-byte) randomstring and creates a base64 encoded RSA-wrapped key using thecryptography library:

importargparseimportbase64importosfromtypingimportOptionalfromcryptographyimportx509fromcryptography.hazmat.backendsimportdefault_backendfromcryptography.hazmat.primitivesimporthashesfromcryptography.hazmat.primitives.asymmetricimportpaddingfromcryptography.hazmat.primitives.asymmetric.rsaimportRSAPublicKeyimportrequestsGOOGLE_PUBLIC_CERT_URL=("https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem")defget_google_public_cert_key()->RSAPublicKey:"""    Downloads the Google public certificate.    Returns:        RSAPublicKey object with the Google public certificate.    """r=requests.get(GOOGLE_PUBLIC_CERT_URL)r.raise_for_status()# Load the certificate.certificate=x509.load_pem_x509_certificate(r.content,default_backend())# Get the certicate's public key.public_key=certificate.public_key()returnpublic_keydefwrap_rsa_key(public_key:RSAPublicKey,private_key_bytes:bytes)->bytes:"""    Use the Google public key to encrypt the customer private key.    This means that only the Google private key is capable of decrypting    the customer private key.    Args:        public_key: The public key to use for encrypting.        private_key_bytes: The private key to be encrypted.    Returns:        private_key_bytes encrypted using the public_key. Encoded using        base64.    """wrapped_key=public_key.encrypt(private_key_bytes,padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),algorithm=hashes.SHA1(),label=None,),)encoded_wrapped_key=base64.b64encode(wrapped_key)returnencoded_wrapped_keydefmain(key_file:Optional[str])->None:"""    This script will encrypt a private key with Google public key.    Args:        key_file: path to a file containing your private key. If not            provided, a new key will be generated (256 bit).    """# Generate a new 256-bit private key if no key is specified.ifnotkey_file:customer_key_bytes=os.urandom(32)else:withopen(key_file,"rb")asf:customer_key_bytes=f.read()google_public_key=get_google_public_cert_key()wrapped_rsa_key=wrap_rsa_key(google_public_key,customer_key_bytes)b64_key=base64.b64encode(customer_key_bytes).decode("utf-8")print(f"Base-64 encoded private key:{b64_key}")print(f"Wrapped RSA key:{wrapped_rsa_key.decode('utf-8')}")if__name__=="__main__":parser=argparse.ArgumentParser(description=__doc__,formatter_class=argparse.RawDescriptionHelpFormatter)parser.add_argument("--key_file",help="File containing your binary private key.")args=parser.parse_args()main(args.key_file)

Your key is now ready to use!

Use a RSA-wrapped key

Using the Google Cloud CLI, you can provide a regular key and aRSA-wrapped key in thesame way.

In theAPI, use thesha256 property instead ofrawKey if you want to use aRSA-wrapped key instead.

Encrypting resources with CSEK using the command-line tool

Setup

Encryption keys can be used through the Google Cloud CLI.

Download and installgcloud.

Key file

When you use thegcloud compute command-line tool to set your keys,you provide encoded keys using a key file that contains your encoded keys asa JSON list. A key file can contain multiple keys, letting you manage manykeys in a single place. Alternatively, you can create single key files tohandle each key separately. A key file is only usable with the gcloud CLI.When using REST, you must supply the key directly in your request.

Each entry in your key file must provide:

• The fully qualified URI to the resource the key protects
• The corresponding key
• The type of key, eitherraw orrsa-encrypted

When you use the key file in your requests, the tool looks for matchingresources and uses the respective keys. If no matching resources arefound, the request fails.

An example key file looks like this:

[  {  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/example-disk",  "key": "acXTX3rxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY+c=",  "key-type": "raw"  },  {  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/my-private-snapshot",  "key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==",  "key-type": "rsa-encrypted"  }]

Best practices for managing your key file

If you use a key file, restrict access to your file to only thosewho need it. Make sure to set appropriate permissions on these files andconsider encrypting these files using additional tools:

• On Windows, consider usingBitLocker orEncrypting File System (EFS).
• On macOS, consider usingFileVault 2.
• On Linux, considerLinux Unified Key Setup (LUKS) oreCryptfs.

Encrypt a new persistent disk with CSEK

You can encrypt a new persistent disk by supplying a key during VM ordisk creation.

gcloud (beta) compute instances create example-instance --csek-key-file example-file.json

gcloud (beta) compute disks create example-disk --csek-key-file example-file.json

POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/instances{"machineType": "zones/us-central1-a/machineTypes/e2-standard-2","disks": [ {  "type": "PERSISTENT",  "diskEncryptionKey": {    "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  },  "initializeParams": {   "sourceImage": "projects/debian-cloud/global/images/debian-9-stretch-v20170619"  },  "boot": true }],...}

POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks?sourceImage=https%3A%2F%2Fwww.googleapis.com%2Fcompute%2Falpha%2Fprojects%2Fdebian-cloud%2Fglobal%2Fimages%2Fdebian-9-stretch-v20170619{ "name": "new-encrypted-disk-key", "diskEncryptionKey": {   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  }, "type": "zones/us-central1-a/diskTypes/pd-standard"}

Create a snapshot from a disk encrypted with CSEK

If you create a snapshot from an encrypted disk, the snapshot must also beencrypted. You must specify a key to encrypt the snapshot. You cannot convertencrypted disks or encrypted snapshots to use Compute Engine defaultencryption unless youcreate a new disk image and a new persistent disk.

Snapshots of disks encrypted with CSEK are always full snapshots. This differsfrom snapshots of disks encrypted withcustomer-managed encryption keys(CMEK), which areincremental. Snapshots are priced basedon the total size of the snapshot, so a full snapshot might cost more than anincremental snapshot.

To create a persistent disk snapshot from an encrypted disk, your snapshotcreation request must provide the encryption key that you used to encrypt thepersistent disk.

Review theBest practices for persistent disk snapshotsbefore creating your snapshot.

POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk/createSnapshot{ "snapshotEncryptionKey":  {   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==" },  "sourceDiskEncryptionKey": {   "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  }, "name": "snapshot-encrypted-disk"}

Create a new image from a disk or custom image encrypted with CSEK

You can create custom images from encrypted persistent disks or copy encryptedimages. You cannot use the console to copy images. Use theGoogle Cloud CLI or REST to copy images.

gcloud (beta) compute images create .... --csek-key-file example-file.json

[  {  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks/source-disk",  "key": "acX3RqzxrKAFTF0tYVLvydU1riRZTvUNC4g5I11NY-c=",  "key-type": "raw"  },  {  "uri": "https://www.googleapis.com/compute/v1/projects/myproject/global/snapshots/the-new-image",  "key": "TF0t-cSfl7CT7xRF1LTbAgi7U6XXUNC4zU_dNgx0nQc=",  "key-type": "raw"  }]

POST https://compute.googleapis.com/compute/beta/projects/myproject/global/images{ "name": "image-encrypted-disk", "sourceDiskEncryptionKey": {    "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  } "imageEncryptionKey": {    "rsaEncryptedKey":  "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="    }, "sourceDisk": "projects/myproject/zones/us-central1-a/disks/source-disks"}

Encrypt an imported image with CSEK

You can encrypt a new image when youmanually import a custom image toCompute Engine. Before you can import an image, you mustcreate and compress a disk image fileandupload that compressed file to Cloud Storage.

Import the custom Compute Engine image that you want to encrypt.Specify the URI to the compressed file and also specify a path to yourencryption key file.

gcloud (beta) compute images create [IMAGE_NAME] \    --source-uri gs://[BUCKET_NAME]/[COMPRESSED_FILE] \    --csek-key-file [KEY_FILE]

POST https://compute.googleapis.com/compute/beta/projects/myproject/global/images{"rawDisk": { "source": "http://storage.googleapis.com/example-image/example-image.tar.gz"},"name": "new-encrypted-image","sourceType": "RAW","imageEncryptionKey": {  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  }}

Create a persistent disk from a resource encrypted with CSEK

Create a disk from a snapshot encrypted with CSEK

gcloud (beta) compute disks create ... --source-snapshot example-snapshot --csek-key-file example-file.json

POST https://compute.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks{"name": "disk-from-encrypted-snapshot","sourceSnapshot": "global/snapshots/encrypted-snapshot","sourceSnapshotEncryptionKey": {  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  }}

Create a disk from an image encrypted with CSEK

gcloud (beta) compute disks create ... --image example-image --csek-key-file example-file.json

POST https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/disks{"name": "disk-from-encrypted-image","sourceImageEncryptionKey": {  "rsaEncryptedKey": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA=="  },"sourceImage": "global/images/encrypted-image"}

Attaching a disk encrypted with CSEK to a new VM

gcloud (beta) compute instances create example-instance \    --disk name=example-disk,boot=yes \    --csek-key-file example-file.json

"disks": [{  "deviceName": "encrypted-disk",  "source": "projects/myproject/zones/us-central1-f/disks/encrypted-disk",  "diskEncryptionKey": {    "rawKey": "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="  } }]

Starting or restarting VMs that have disks encrypted with CSEK

For details on stopping or starting a VM that has encrypted disks,readRestarting a VM with an encrypted disk.

Using the command line to create mixed resources

If you want to create a mix of customer-encrypted and standard-encryptedresources in a single request with the Google Cloud CLI, you can usethe--csek-key-file flag with a key file and the--no-require-csek-key-create flag in your request. By providing both flags,gcloud CLI creates any customer-encrypted resources that are explicitlydefine in your key file and also creates any standard resources you specify.

For example, assume a key file contains the following:

[  {  "uri": "https://www.googleapis.com/compute/beta/projects/myproject/zones/us-central1-a/disks/example-disk",  "key": "ieCx/NcW06PcT7Ep1X6LUTc/hLvUDYyzSZPPVCVPTVEohpeHASqC8uw5TzyO9U+Fka9JFHz0mBibXUInrC/jEk014kCK/NPjYgEMOyssZ4ZINPKxlUh2zn1bV+MCaTICrdmuSBTWlUUiFoDD6PYznLwh8ZNdaheCeZ8ewEXgFQ8V+sDroLaN3Xs3MDTXQEMMoNUXMCZEIpg9Vtp9x2oeQ5lAbtt7bYAAHf5l+gJWw3sUfs0/Glw5fpdjT8Uggrr+RMZezGrltJEF293rvTIjWOEB3z5OHyHwQkvdrPDFcTqsLfh+8Hr8g+mf+7zVPEC8nEbqpdl3GPv3A7AwpFp7MA==",  "key-type": "rsa-encrypted"  }]

If you wanted to create a VM with a customer-encrypted disk usingthe key file and simultaneously create a VM with astandard-encrypted disk in the same request, you can do so as follows:

gcloud beta compute instances create example-disk example-disk-2 \    --csek-key-file mykeyfile.json --no-require-csek-key-create

1. Create an image of the encrypted disk and specifyautomatic encryption for the new image.
2. Use the new image tocreate a new persistent disk.

After you create the new persistent disk, Compute Engine usesGoogle-owned and managed keys to protect the disk contents.Any snapshots that you create from that disk must also useGoogle-owned and managed keys