{GCP Cloud KMS}Cloud KMS 鍵を使用してリソースを保護する

GCP

 

https://cloud.google.com/compute/docs/disks/customer-managed-encryption?hl=ja

https://qiita.com/atsumjp/items/b872744d69686a1fc783

https://blog.g-gen.co.jp/entry/cloud-kms-explained

顧客管理の暗号鍵(CMEK)
顧客指定の暗号鍵(CSEK)


ここでは、顧客管理の暗号鍵(CMEK)を使用する


※ 暗号鍵もキーリングも削除不可。鍵バージョンは削除可能

 

-- 1. 前作業

gcloud init
gcloud auth list

gcloud --version

gcloud projects create project01-9999999 \
--name="project01"

gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet

gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111

gcloud services enable compute.googleapis.com --project project01-9999999

gcloud components update


-- 2. Cloud KMS API有効化

gcloud services list --enabled

gcloud services enable cloudkms.googleapis.com


-- 3. キーリング作成

gcloud kms keyrings create keyring01 \
--location asia-northeast1

gcloud kms keyrings list \
--location asia-northeast1

gcloud kms keyrings describe keyring01 \
--location asia-northeast1

 


-- 4. キー作成

gcloud kms keys create key01 \
--location asia-northeast1 \
--keyring keyring01 \
--purpose encryption \
--protection-level software

gcloud kms keys list \
--keyring=keyring01 \
--location=asia-northeast1

gcloud kms keys describe key01 \
--location asia-northeast1 \
--keyring keyring01

 

-- 5. Cloud KMS CryptoKey Encrypter/Decrypter ロールを Compute Engine Service Agent に割り当て

gcloud projects add-iam-policy-binding project01-9999999 \
--member serviceAccount:service-11111111111@compute-system.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter


-- 6. 暗号化したディスクをもつvm作成

VM またはディスクの作成時に鍵を指定することにより、新しい永続ディスクを暗号化できます。

 


gcloud compute instances create vm01 \
--machine-type=e2-micro \
--image-project=debian-cloud \
--image-family=debian-10 \
--provisioning-model=SPOT \
--instance-termination-action=STOP \
--zone asia-northeast1-a \
--boot-disk-kms-key projects/project01-9999999/locations/asia-northeast1/keyRings/keyring01/cryptoKeys/key01


gcloud compute instances list

 

 

-- 7. クリーンアップ

gcloud compute instances delete vm01 --quiet

gcloud kms keys versions list \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01

gcloud kms keys versions disable 1 \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01

gcloud kms keys versions destroy 1 \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01

 


gcloud projects list
gcloud projects delete project01-9999999