Sign in to my dashboard Create an account

Customer-managed keys for Cloud Volumes Service encryption on Google Cloud

city skyline
Table Of Contents

Share this page

Robert Cox
Robert Cox

When it comes to cloud storage security and data encryption, a single solution for every industry, company, and organization isn’t such a good idea. Different encryption options benefit some users more than others. To help you manage, protect, and secure your data in Google Cloud, we will make support for customer-managed encryption keys (CMEK) generally available soon. Go to the Release Notes page for the latest information.

Storage encryption processes obscure and protect your data from unauthorized access and usage. In NetApp® Cloud Volumes Service for Google Cloud, encryption is a built-in security mechanism that protects data at rest. CMEK adds another layer of security: You create the encryption keys by using Google Cloud Key Management Service (KMS), and these keys are used by the Google server to encrypt data before standard Google Cloud Storage encryption is applied.

Customer-managed encryption keys

The data encryption built into Cloud Volumes Service is the simplest data security and is sufficient for many storage requirements. However, for sensitive data, CMEK can provide additional security and thwart certain attack scenarios. With CMEK, these volume keys are wrapped using keys supplied by Google Cloud KMS. This further protects your data from being read if the underlying storage devices experience unauthorized physical access.

This feature gives you control over the encryption keys used and the added security of storing the keys on a system or in a location different from the data. Cloud Volumes Service supports Google Cloud KMS capabilities such as hardware security modules (HSMs), Cloud External Key Manager (EKM), and the full key management lifecycle (generate, use, rotate, destroy). 

google cloud flowchart

With CMEK, you can use your own encryption key to protect the data in your storage account. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.


Using CMEK makes you solely responsible for your keys and your data. If the Cloud KMS key is destroyed or deactivated, Cloud Volumes Service stops access to any volumes using that key after 60 minutes, and you can no longer create volumes in that region. You lose access to existing volumes and their data unless you restore the key. Neither Google nor NetApp can help you recover the volume data if this happens.

Get more for Google Cloud Storage with Cloud Volumes Service

Although security is one of the most important aspects of enterprise storage deployment, there’s more than Google Cloud Storage encryption to consider when deploying on Google Cloud. You need your storage footprint to be cost efficient and space efficient, protected from data loss, and easy to replicate for dev/test purposes. That’s all possible with Cloud Volumes Service for Google Cloud.

With Cloud Volumes Service, Google Cloud customers now have access to instant NetApp Snapshot copiesdata clone capabilities, and multiple price/performance tiers for NFS and SMB file storage.

More recent enhancements

Request to talk to specialist

Start a free trial

Robert Cox

Robert is a senior product marketing manager with over 20 years of product marketing and product management experience. He is focused on NetApp’s Cloud Data Services, working to enable customers to deliver business outcomes for all IT workloads in cloud, multicloud, and hybrid cloud environments. Robert is an avid cyclist and loves to be outdoors.

View all Posts by Robert Cox

Next Steps

Drift chat loading