How to Add CMEK key to existing Cloud SQL

Vigneshkumarg · 04-26-2023 04:58 AM

Hello Team

I have created cloud sql database without adding CMEK key. Now I need to add the CMEK key to the created Cloud sql. Please suggest any method to add.

ms4446

To add a Customer-Managed Encryption Key (CMEK) to a Cloud SQL database that was created without one, you can follow these steps:

Generate or import the encryption key: First, you need to generate a new encryption key or import an existing one. This key will be used to encrypt and decrypt the data in your Cloud SQL database.
Create a Cloud Key Management Service (Cloud KMS) key ring and key: Use the Cloud KMS service to create a key ring and a key within that key ring. This key will be used to encrypt and decrypt the encryption key you generated or imported in the previous step.
Enable the Cloud SQL API: Make sure the Cloud SQL API is enabled in your Google Cloud project. This API allows you to manage your Cloud SQL databases programmatically.
Update the Cloud SQL instance: Use the Cloud SQL API or the Google Cloud Console to update the Cloud SQL instance and associate it with the Cloud KMS key you created. You'll need to provide the key ring name, key name, and key version.
Restart the Cloud SQL instance: After associating the Cloud SQL instance with the CMEK key, you'll need to restart the instance for the changes to take effect. You can do this using the Cloud SQL API or the Google Cloud Console.

abrahamalfaro

You cannot apply a CMEK to a Cloud SQL instance that was created without one.

If you need to protect an existing Cloud SQL instance with a CMEK, you will need to create a new instance with CMEK enabled and then migrate your data from the old instance to the new one.

nikhildobriyal

Yes, you are right, we cannot encrypt any existing disk or sql instance using CMEK, only way to do is to create a new sql and encrypt it using CMEK while creating.