1. Login to the Google Cloud Console.
2. Navigate to the Spanner database instance for which you want to enable the backup encryption.
3. Click on the “Edit” button on the top of the page.
4. Scroll down to the “Backup” section and click on it.
5. In the “Backup Encryption” section, select the “Enabled” option.
6. Choose a key version to encrypt the backups. You can either use a customer-managed encryption key or Google-managed encryption key.
7. If you choose a customer-managed encryption key, select the key from the dropdown list. If you choose Google-managed encryption key, then select the key version from the dropdown list.
8. Click on the “Save” button to save the changes.

​

1. Open the Cloud Shell in the GCP console.
2. Run the following command to enable backup encryption for the Spanner database:
   Copy

   Ask AI

   gcloud spanner databases update [DATABASE_ID] --backup-encryption-config kms-key-name=[KMS_KEY_NAME]
   

   Replace [DATABASE_ID] with the ID of the Spanner database and [KMS_KEY_NAME] with the name of the KMS key used to encrypt the backups. For example:
   Copy

   Ask AI

   gcloud spanner databases update my-database --backup-encryption-config kms-key-name=my-key
   

3. Verify that backup encryption is enabled by running the following command:
   Copy

   Ask AI

   gcloud spanner databases describe [DATABASE_ID] --format="value(backupConfig.encryptionConfig.kmsKeyName)"
   

   Replace [DATABASE_ID] with the ID of the Spanner database. The output should show the name of the KMS key used to encrypt the backups. For example:
   Copy

   Ask AI

   gcloud spanner databases describe my-database --format="value(backupConfig.encryptionConfig.kmsKeyName)"
   

4. Repeat steps 2-3 for each Spanner database in your GCP project.

1. Install the required libraries:

!pip install google-cloud-spanner

2. Set up the authentication credentials for the GCP project:

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

3. Import the required libraries:

from google.cloud import spanner_v1
from google.cloud.spanner_v1 import Backup
from google.cloud.spanner_v1 import BackupEncryptionConfig

4. Initialize the Spanner client:

spanner_client = spanner_v1.Client(credentials=credentials)

5. Get the instance and database IDs:

instance_id = 'your-instance-id'
database_id = 'your-database-id'

6. Get the backup configuration:

instance = spanner_client.instance(instance_id)
database = instance.database(database_id)
backup_config = database.backup_config

7. Check if backup encryption is enabled:

if backup_config.encryption_config.encryption_type == BackupEncryptionConfig.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION:
    print('Backup encryption is already enabled.')
else:
    print('Backup encryption is not enabled.')

8. If backup encryption is not enabled, enable it:

backup_config.encryption_config.encryption_type = BackupEncryptionConfig.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION
database.update_backup_config(backup_config)
print('Backup encryption has been enabled.')

9. Verify that backup encryption is enabled:

backup_config = database.backup_config
if backup_config.encryption_config.encryption_type == BackupEncryptionConfig.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION:
    print('Backup encryption is enabled.')
else:
    print('Backup encryption is not enabled.')