Skip to content

disk-encryption-customer-keys

Explanation

By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.

If the disk_encryption_key block is included in the resource declaration then it must include a raw_key or kms_key_self_link.

Possible Impact

Encryption of disk using unmanaged keys.

Suggested Resolution

Enable encryption using a customer-managed key.

Insecure Example

The following example will fail the google-compute-disk-encryption-customer-keys check.

resource "google_compute_disk" "bad_example" {
    # ...
}

Secure Example

The following example will pass the google-compute-disk-encryption-customer-keys check.

resource "google_compute_disk" "good_example" {
    disk_encryption_key {
        kms_key_self_link = "something"
    }
}