By default, Google Cloud automatically encrypts data when it is at rest by using encryption keys that are managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for application-level encryption of Looker (Google Cloud core).
For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.
This page walks you through how to configure a Looker (Google Cloud core) instance to use CMEK.
How does Looker (Google Cloud core) interact with CMEK?
Looker (Google Cloud core) uses a single CMEK key (through a hierarchy of secondary keys) to help protect the sensitive data that is managed by the Looker (Google Cloud core) instance. During startup, each process within the Looker instance makes one initial call to the Cloud Key Management Service (KMS) to decrypt the key. During normal operation (after startup), the entire Looker instance makes a single call to KMS approximately every five minutes to verify that the key is still valid.
What kinds of Looker (Google Cloud core) instances support CMEK?
Looker (Google Cloud core) instances support CMEK when two criteria are met:
- The CMEK configuration steps described on this page are completed before the Looker (Google Cloud core) instance is created. You can't enable customer-managed encryption keys on existing instances.
- Instance editions must be Enterprise or Embed.
Workflow for creating a Looker (Google Cloud core) instance with CMEK
This page will walk you through the following steps to set up CMEK for a Looker (Google Cloud core) instance.
- Set up your environment.
- Google Cloud CLI, Terraform, and API users only: