Skip to content

Disks should be encrypted with customer managed encryption keys

Default Severity: low

Explanation

Using unmanaged keys makes rotation and general management difficult.

Possible Impact

Using unmanaged keys does not allow for proper key management.

Suggested Resolution

Use managed keys to encrypt disks.

Insecure Example

The following example will fail the google-compute-disk-encryption-customer-key check.

 resource "google_compute_disk" "bad_example" {
   name  = "test-disk"
   type  = "pd-ssd"
   zone  = "us-central1-a"
   image = "debian-9-stretch-v20200805"
   labels = {
     environment = "dev"
   }
   physical_block_size_bytes = 4096
 }

Secure Example

The following example will pass the google-compute-disk-encryption-customer-key check.

 resource "google_compute_disk" "good_example" {
   name  = "test-disk"
   type  = "pd-ssd"
   zone  = "us-central1-a"
   image = "debian-9-stretch-v20200805"
   labels = {
     environment = "dev"
   }
   physical_block_size_bytes = 4096
   disk_encryption_key {
     kms_key_self_link = "something"
   }
 }