https://cloud.google.com/compute/docs/disks/customer-managed-encryption?hl=ja
https://qiita.com/atsumjp/items/b872744d69686a1fc783
https://blog.g-gen.co.jp/entry/cloud-kms-explained
顧客管理の暗号鍵(CMEK)
顧客指定の暗号鍵(CSEK)
ここでは、顧客管理の暗号鍵(CMEK)を使用する
※ 暗号鍵もキーリングも削除不可。鍵バージョンは削除可能
-- 1. 前作業
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
gcloud components update
-- 2. Cloud KMS API有効化
gcloud services list --enabled
gcloud services enable cloudkms.googleapis.com
-- 3. キーリング作成
gcloud kms keyrings create keyring01 \
--location asia-northeast1
gcloud kms keyrings list \
--location asia-northeast1
gcloud kms keyrings describe keyring01 \
--location asia-northeast1
-- 4. キー作成
gcloud kms keys create key01 \
--location asia-northeast1 \
--keyring keyring01 \
--purpose encryption \
--protection-level software
gcloud kms keys list \
--keyring=keyring01 \
--location=asia-northeast1
gcloud kms keys describe key01 \
--location asia-northeast1 \
--keyring keyring01
-- 5. Cloud KMS CryptoKey Encrypter/Decrypter ロールを Compute Engine Service Agent に割り当て
gcloud projects add-iam-policy-binding project01-9999999 \
--member serviceAccount:service-11111111111@compute-system.iam.gserviceaccount.com \
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
-- 6. 暗号化したディスクをもつvm作成
VM またはディスクの作成時に鍵を指定することにより、新しい永続ディスクを暗号化できます。
gcloud compute instances create vm01 \
--machine-type=e2-micro \
--image-project=debian-cloud \
--image-family=debian-10 \
--provisioning-model=SPOT \
--instance-termination-action=STOP \
--zone asia-northeast1-a \
--boot-disk-kms-key projects/project01-9999999/locations/asia-northeast1/keyRings/keyring01/cryptoKeys/key01
gcloud compute instances list
-- 7. クリーンアップ
gcloud compute instances delete vm01 --quiet
gcloud kms keys versions list \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01
gcloud kms keys versions disable 1 \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01
gcloud kms keys versions destroy 1 \
--location asia-northeast1 \
--keyring keyring01 \
--key=key01
gcloud projects list
gcloud projects delete project01-9999999