By default, Cloud Workstations encrypts customer content at rest. Cloud Workstations handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Cloud Workstations. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyoutrack key usage, view audit logs, andcontrol key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Cloud Workstations resources is similar to using Google default encryption. For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).

By default, Cloud Workstations uses aGoogle-owned and Google-managed encryption key to encrypt workstation resources such as VMs and persistent disks whendatais atrest. If you have specific compliance or regulatory requirements related to the keysthat protect your data, you can usecustomer-managed encryptionkeys (CMEK) usingCloud Key Management Service(Cloud KMS).

For more information about CMEK in general, including when and why to enable it,see theCloud KMSdocumentation.

Before you begin

Create your projects

1. In the Google Cloud console, on the project selector page, select or create thefollowingGoogle Cloudprojects:

   • Akey project contains your Cloud KMS resources, including akey ring and a symmetric encryption key.

   • Aworkstations project contains workstations that are encrypted with aCMEK key.

   You can use the same project for your key project and workstations project,but as a best practice, we recommend that you use two projects forseparation of duties.

   Note: If you don't plan to keep the resources that you create in thisprocedure, create new projects instead of selecting existing projects.After you finish these steps, you can delete the projects, removing allresources associated with both projects.

2. Make sure that billing is enabled for your Cloud project. For moreinformation, seeVerify the billing status of yourprojects.

3. Enable the required APIs in each project.

   • In yourkey project, make sure that you have enabled theCloud KMS API.

     Enable Cloud KMS API

   • In yourworkstations project, make sure that you have enabledCloud KMS and Cloud Workstations APIs.

     Enable Cloud KMS and Cloud Workstations APIs

4. Install and initialize thegcloud CLI:

   1. To install thegcloud CLI, seeInstall thegcloud CLI CLI and follow the instructions for your operating system.

   2. To initialize thegcloud CLI, seeInitializing thegcloud CLI CLI or run the following command:

      gcloudinit

Required roles

Although you can grant Cloud KMS Adminand Cloud Workstations Admin roles to the same person, we recommend thatyou follow the principle of least privilege when assigning roles. As a bestpractice, grant these roles to two separate people and have them coordinate,rather than ask your Cloud KMS Admin to also be yourCloud Workstations Admin. For more information, seesecurity bestpractices andusing IAMsecurely .

To get the permissions that you need to set up CMEK, ask your administrator to grant you the following IAM roles:

• If you are theCloud KMS Admin, ask your administrator to grant you the following role so that you can create and manage Cloud KMS resources:Cloud KMS Admin (roles/cloudkms.admin) on yourkey project.
• If you are theCloud Workstations Admin, ask your administrator to grant you the following role so that you can create and update workstations:Cloud Workstations Admin (roles/workstations.admin) on yourworkstations project.

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create key ring and encryption key

In yourkey project, create a key and save the resource ID of the key:

1. Create or select akey ring.

   The key ring must be located in the same region as your workstation cluster.Cloud Workstations does not support multi-regional or globalCloud KMS locations.

   You can share key rings between services, but as a best practice, werecommend that you use a different key for each protected resource. Seeseparation of duties

2. Create asymmetric encryption key.

3. Get the resource ID of the key and save this for a later step.

Grant access to your encryption key

Cloud Workstations uses the following service accounts to manage encrypting your resources:

1. TheCloud Workstations Service Agent:Cloud Workstations uses this account to detect when your key is rotated.

2. TheCloud KMS Key Service Account:You will provide a service account that Cloud Workstations can use to accessyour key for encrypting and decrypting resources.

Grant Cloud KMS Viewer role to the Cloud Workstations Service Agent

TheCloud Workstations ServiceAgent allowsCloud Workstations to perform service duties on your project. When you activatedthe Cloud Workstations Service in yourworkstations project this service agentwas automatically created. For CMEK to work properly, you will need to grantthe Cloud Workstations Service Agent for yourworkstations project theCloud KMS Viewerrole(roles/cloudkms.viewer) on the Cloud KMS key, so thatCloud Workstations can detect key rotation.

1. To retrieve the Cloud Workstations Service Agent for your workstationproject, use the following command:

   gcloudbetaservicesidentitycreate\--service=workstations.googleapis.com\--project=WORKSTATIONS_PROJECT_ID

   ReplaceWORKSTATIONS_PROJECT_ID with the ID of yourworkstation project.

   The Cloud Workstations Service Agent uses the following format:
   service-$WORKSTATIONS_PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com.

2. Grant the Cloud Workstations Service Agent the Cloud KMS Viewer role(roles/cloudkms.viewer)on the CMEK key. This allows Cloud Workstations todetect key rotationand re-encrypt resources as needed in your project.

   gcloudkmskeysadd-iam-policy-binding\KEY_NAME\--keyring=KEY_RING\--location=LOCATION\--project=KMS_PROJECT_ID\--role=roles/cloudkms.viewer\--member=CLOUD_WORKSTATIONS_SERVICE_AGENT

   Replace the following:

   • KEY_NAME: the name of your key.
   • KEY_RING: the name of your key ring.
   • LOCATION: the location containing your key ring.
   • KMS_PROJECT_ID: the ID of the project containing your key.
   • CLOUD_WORKSTATIONS_SERVICE_AGENT: theCloud Workstations Service Agent obtained from the preceding step.

   For information on all flags and possible values, run the command with the--help flag.

Set up a Cloud KMS Key Service Account

Cloud Workstations uses a service account of your choosing to performencryption and decryption with your customer-managed key. We refer to this account as the Cloud KMS Key Service Account. You may opt tocreate a new service account or use an existing one. The requirements for thisaccount are:

• TheCloud Workstations Admin must haveiam.serviceAccounts.actAs permission on this service account.
• The service account you choose must have Cloud KMSCryptoKey Encrypter/Decrypterrole(roles/cloudkms.cryptoKeyEncrypterDecrypter) on your Cloud KMSKey.

1. If you would like to create a new service account, use the following command:

   gcloudiamservice-accountscreate\KMS_KEY_SERVICE_ACCOUNT_NAME\--display-name="Service account for Cloud Workstations CMEK"\--project=WORKSTATIONS_PROJECT_ID

   Replace the following:

   • KMS_KEY_SERVICE_ACCOUNT_NAME: the name of the service account.
   • WORKSTATIONS_PROJECT_ID: the ID of your workstation project.

   The service account you created has an email in the following format:KMS_KEY_SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

   Save the email of the service account for a later step.

2. To grant theCloud Workstations Admin IAMService Account Userrole(roles/iam.serviceAccountUser) on the Cloud KMS Key Service Account, run the following command:

   gcloudiamservice-accountsadd-iam-policy-binding\KMS_KEY_SERVICE_ACCOUNT_EMAIL\--member="user:CLOUD_WORKSTATIONS_ADMIN_EMAIL"\--project=WORKSTATIONS_PROJECT_ID\--role=roles/iam.serviceAccountUser

   Replace the following:

   • KMS_KEY_SERVICE_ACCOUNT_EMAIL: the email of the Cloud KMS Key Service Account.
   • CLOUD_WORKSTATIONS_ADMIN_EMAIL: the email of theCloud Workstations Admin.
   • WORKSTATIONS_PROJECT_ID: the ID of your workstation project.

3. To grant the Cloud KMS Key Service Account Cloud KMSCryptoKey Encrypter/Decrypterrole(roles/cloudkms.cryptoKeyEncrypterDecrypter) on your Cloud KMSKey, run the following command:

   gcloudkmskeysadd-iam-policy-binding\KEY_NAME\--keyringKEY_RING\--locationLOCATION\--projectKMS_PROJECT_ID\--roleroles/cloudkms.cryptoKeyEncrypterDecrypter\--memberserviceAccount:KMS_KEY_SERVICE_ACCOUNT_EMAIL\

   Replace the following:

   • KEY_NAME: the name of your key.
   • KEY_RING: the name of your key ring.
   • LOCATION: the location containing your key ring.
   • KMS_PROJECT_ID: the ID of the project containing your key.
   • KMS_KEY_SERVICE_ACCOUNT_EMAIL: the email of the Cloud KMS Key Service Account.

   For information on all flags and possible values, run the command with the--help flag.

Check for workstation clusters

If you don't have workstation clusters available in theGoogle Cloud console,ask your Cloud Workstations Admin to create a workstation cluster for youin the same region as the Cloud KMS key ring, or make sure that youhave a Cloud Workstations Admin IAM role on the project sothat you can create these resources yourself.

Use customer-managed encryption keys

1. If you have not yet created a workstation cluster, create one using theclusters creategcloud CLI command.

   gcloudworkstationsclusterscreate\WORKSTATIONS_CLUSTER_NAME--region=LOCATION\--project=WORKSTATIONS_PROJECT_ID

   Replace the following:

   • WORKSTATIONS_CLUSTER_NAME: the name of the workstation cluster.
   • LOCATION: the region name for your workstation cluster.
   • WORKSTATIONS_PROJECT_ID: the ID of your workstation project.

2. Create a workstation configurationwithencryption_key settings.

   To create a workstation configuration with machine typee2-standard-2,idle timeout of3600s, and CMEK encrypted workstation resources, runthe followinggcloud CLI command:

   gcloudworkstationsconfigscreateWORKSTATIONS_CONFIG_NAME\--cluster=WORKSTATIONS_CLUSTER_NAME\--region=LOCATION\--machine-type="e2-standard-2"\--idle-timeout=3600\--kms-key="projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME"\--kms-key-service-account="KMS_KEY_SERVICE_ACCOUNT_EMAIL"\--project=WORKSTATIONS_PROJECT_ID

   Replace the following:

   • WORKSTATIONS_CONFIG_NAME: the name of theworkstation configuration.
   • WORKSTATIONS_CLUSTER_NAME: the name of your workstation cluster.
   • LOCATION: the region name for your cluster.
   • KMS_PROJECT_ID: project ID, a unique string used to differentiate your project from all others in Google Cloud.
   • KEY_RING: the name of your key ring.
   • KEY_NAME: the name of your key.
   • KMS_KEY_SERVICE_ACCOUNT_EMAIL: the email of the Cloud KMS Key Service Account.
   • WORKSTATIONS_PROJECT_ID: the ID of your workstation project.

   After you create a workstation configuration, Cloud KMS encryptsthe persistent disks in your project with the specifiedCloud KMS key.

Rotate customer-managed encryption keys

When you granted the Cloud Workstations Service Agent Cloud KMS Viewer role(roles/cloudkms.viewer)on the CMEK key, the workstation service is able to detectkeyrotation andre-encrypt your homedisk usingthe new primary key version.

Re-encryption occurs after you stop your workstation. Each time you stop anencrypted workstation, the workstation service checks whether the key has beenrotated. If the key has been rotated, the workstation service creates a snapshotof your workstation's home disk and deletes the disk. The next time you startthe workstation, the workstation service creates a new disk from the snapshot,using the new primary key version.

Cloud KMS quotas and Cloud Workstations

When you use CMEK in Cloud Workstations,your projects can consume Cloud KMS cryptographic requestsquotas.For example, CMEK-encrypted repositories can consume these quotas for each upload or download.Encryption and decryption operations using CMEK keys affect Cloud KMSquotas only if you use hardware (Cloud HSM) or external(Cloud EKM) keys.For more information, seeCloud KMS quotas.

External keys

You can useCloud External Key Manager (Cloud EKM) to encrypt data withinGoogle Cloud using external keys that you manage.

When you use a Cloud EKM key, Google has no control over theavailability of your externally-managed key. If the key becomes unavailable,your workstation cannot be started.

For more considerations when using external keys, seeCloud External KeyManager.

What's next

• Read aboutCustomer-managed encryptionkeys.
• LearnWhat is encryption?