Encryption at rest in Elastic Cloud: Bring your own key with Google Cloud

Now that we’ve introduced Elastic Cloud encryption at rest and walked you through setting it up in AWS and Azure, it’s time to get you set up in Google Cloud. 

In this final blog of the series, we will explain how encryption at rest works with Google Cloud Key Management Service (KMS) and then show you how to apply a Google Cloud KMS key to an Elastic Cloud Hosted deployment for encrypting data and snapshots at rest. We’ll also show you how to validate your setup and implement additional security policies, such as encryption key rotation and revocation.

1. Get your own key: Creating an Elastic deployment with a customer provided encryption key is also known as Bring Your Own Key (BYOK). To create an Elastic deployment with BYOK, you need to have Google Identity and Access Management (IAM) permissions to create a Google Cloud key using the Cloud KMS. The key must be created on a Google Cloud key ring in the same region as the Elastic deployment that you’re going to encrypt.

2. Upgrade to Enterprise: An Enterprise license is required for BYOK.

3. Access control: You also need permissions to manage access to your new key resource using Google IAM. This is required to grant the service principles used by Elastic to access your key.

After you’ve logged in to the console, click the Create deployment button.

Enter a name for your deployment and select Google Cloud as your cloud provider. Expand the Advanced settings section and enable the Use a customer-managed encryption key option. Copy the Elastic service account and the Google Cloud Platform cloud storage service agent to save these values somewhere handy for a later step.

For now, we’ll leave the create deployment page as it is and open a new browser tab, where we’ll create a Google Cloud key that we’ll use to encrypt the deployment.

Click Create Key.

Enter a Key Name for the key to be created and click Create.

Select the newly created key to see its details.

Select the key’s Permissions tab.

Select Grant Access.

Paste in the Elastic service account in the New Principals field and assign it the roles Cloud KMS CryptoKey Encrypter/Decrypter and Cloud KMS Viewer. Click Save.

Select the key’s Grant Access button again.

Paste in the Google Cloud Platform cloud storage agent in the New Principals field and assign it the role Cloud KMS CryptoKey Encrypter/Decrypter. Click Save.

Click on the Back to key ring details button.

Click the Action button for the key and select Copy resource name.

Return to the Elastic Cloud portal to complete the deployment creation that you started at the outset of this blog post. Within the Advanced Settings, under Encryption at rest, paste in the Google Cloud Key resource name. It should be in the following format:

Click Create deployment.

The deployment is now created and encrypted using the specified Google Cloud key.

Select Manage encryption key in the Encryption at rest section.

You should see your Google Cloud key resource name. 

Key rotations are managed in the Google Cloud Key Management service. You can manually rotate keys or set up automatic rotation. Key rotation operations made in Google Cloud KMS will take effect in Elastic Cloud within a day.

Revoking a key in the Google Cloud KMS is a break-glass procedure in case of a security breach. Elastic Cloud will receive an error within a 30-minute period if an encryption key is disabled or deleted, or if the assigned role is removed from the IAM permissions.  

The revocation can be rolled back if the action was unintended. Otherwise, Elastic Cloud locks the directories in which your deployment data live and prompts you to delete your deployment as an increased security measure.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.