More Info:

Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Customer Supplied Encryption Key Should Be Enabled For Disks” for GCP using GCP console, please follow the below steps:
  1. Open the GCP Console and select the project for which you want to enable Customer Supplied Encryption Key.
  2. In the left navigation menu, select “Compute Engine” and then select “Disks”.
  3. Select the disk for which you want to enable Customer Supplied Encryption Key.
  4. Click on “Edit” at the top of the page.
  5. In the Encryption section, select “Customer-supplied encryption key”.
  6. Enter the 256-bit encryption key in the “Key” field.
  7. Click on “Save” to save the changes.
Once you have completed the above steps, the disk will be encrypted using the customer-supplied encryption key. It is recommended to create a backup of the encryption key and store it in a secure location, as it will be required to access the data on the disk.

To remediate the “Customer Supplied Encryption Key Should Be Enabled For Disks” misconfiguration in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to check if the customer-supplied encryption key is enabled for the disks: 
    gcloud compute disks describe [DISK_NAME] --zone=[ZONE] --format="value(satisfiesPzs)"
    Replace [DISK_NAME] with the name of the disk that you want to check and [ZONE] with the zone in which the disk is located.
  3. If the output of the previous command is “False”, then the customer-supplied encryption key is not enabled for the disk. To enable it, run the following command: 
    gcloud compute disks add-iam-policy-binding [DISK_NAME] --zone=[ZONE] --member user:[USER_EMAIL] --role roles/compute.diskEncrypterDecrypter
    Replace [DISK_NAME] with the name of the disk that you want to encrypt and [ZONE] with the zone in which the disk is located. Replace [USER_EMAIL] with the email address of the user who will be able to encrypt and decrypt the disk.
  4. After running the above command, the customer-supplied encryption key will be enabled for the disk. You can verify it by running the following command: 
    gcloud compute disks describe [DISK_NAME] --zone=[ZONE] --format="value(satisfiesPzs)"
    The output of the above command should be “True”, indicating that the customer-supplied encryption key is enabled for the disk.
By following the above steps, you can remediate the “Customer Supplied Encryption Key Should Be Enabled For Disks” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “Customer Supplied Encryption Key Should Be Enabled For Disks” in GCP using Python, you can follow the below steps:Step 1: Install the required packages
!pip install google-cloud-storage google-auth google-auth-oauthlib google-auth-httplib2
Step 2: Authenticate to GCP
from google.colab import auth
auth.authenticate_user()
Step 3: Import the required libraries
from google.cloud import storage
from google.oauth2 import service_account
Step 4: Create a service account and grant it the required permissions
credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key>')
Step 5: Create a function to enable customer-supplied encryption key for disks
def enable_csek(project_id, zone, instance_name, disk_name, encryption_key):
    """
    This function enables customer-supplied encryption key for a disk in a GCP VM instance.
    """
    # Create the compute client
    compute_client = compute_v1.InstancesClient(credentials=credentials)
    
    # Get the instance resource URL
    instance_url = f'/projects/{project_id}/zones/{zone}/instances/{instance_name}'
    
    # Get the disk resource URL
    disk_url = f'/compute/v1/projects/{project_id}/zones/{zone}/disks/{disk_name}'
    
    # Create the disk encryption key resource
    disk_encryption_key_resource = {
        "rawKey": encryption_key,
        "rsaEncryptedKey": None,
        "kmsKeyName": None
    }
    
    # Create the disk resource with the customer-supplied encryption key
    disk_resource = {
        "sourceDisk": disk_url,
        "diskEncryptionKey": disk_encryption_key_resource,
        "autoDelete": False,
        "boot": False,
        "interface": "SCSI",
        "mode": "READ_WRITE",
        "autoResize": False,
        "sizeGb": None,
        "type": None
    }
    
    # Create the update mask
    update_mask = 'diskEncryptionKey'
    
    # Update the instance to enable customer-supplied encryption key for the disk
    operation = compute_client.attach_disk(instance=instance_url, disk=disk_resource, update_mask=update_mask)
    
    # Wait for the operation to complete
    operation.result()
    
    print(f'Successfully enabled customer-supplied encryption key for disk {disk_name} in instance {instance_name}.')
Step 6: Call the function to enable customer-supplied encryption key for the disk
enable_csek(project_id='<project-id>', zone='<zone>', instance_name='<instance-name>', disk_name='<disk-name>', encryption_key='<encryption-key>')
Note: Replace the placeholders <project-id>, <zone>, <instance-name>, <disk-name>, and <encryption-key> with the actual values for your GCP project.

Additional Reading: