BYOK for tenants on GCP
Learn more about the Bring Your Own Key (BYOK) for a tenant based on Google Cloud Platform (GCP).
The data for all tenants on Google Cloud Platform (GCP) is encrypted with Reltio-managed keys by default. However, you can enable Reltio Shield as an add-on subscription to your Reltio Data Cloud Subscription. This enables you to bring your own keys (BYOK) to encrypt and protect your data, while also retaining ownership of them. We recommend you enable Reltio Shield when creating a new tenant. For existing tenants, you can enable Shield and switch to customer-managed keys. This requires data migration as it's not possible to change the keys for ane existing database due to GCP restrictions. The migration will take time depending on the size of your tenant.
Pre-requisites for creating keys
You must first obtain details about the main and backup regions as well as the special Google-managed service accounts for which you want to grant access.
Use the following endpoint to get these details:
GET /tenants/spanner/encryption/gcp/info
Response
{
"accounts": [
"service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com",
"service-123456789012@gs-project-accounts.iam.gserviceaccount.com",
"service-123456789012@dataflow-service-producer-prod.iam.gserviceaccount.com",
],
"mainRegion": "us-central1",
"backupRegion": "us-west1"
}
You must provide two Google Cloud KMS keys to Reltio — one for the database in the main region and another for backups in the backup region.
Create your own keys
You can create your own keys in Google Cloud Console, or using Google cloud CLI. For more information, see topic https://cloud.google.com/kms/docs/create-key#create-symmetric.
Before creating these keys, ensure that:
- The encryption key must be in a key ring that is located in the same region as the tenant's database. A global region will not fit with an encryption key in another region. For example, if the database is in
us-central1
, then the KMS key should be also inus-central1
region. You can check with our Customer Support for details about the region. - The name of the key and key ring must be the same in both the regions.
- Assign the
Cloud KMS CryptoKey Encrypter/Decrypter
role to all accounts provided by the endpoint mentioned above for both keys. If you have any other custom role that has these permissions, assign the role instead.cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
For example,
service-<project-id>@gcp-sa-spanner.iam.gserviceaccount.com
andservice-<project-id>@gs-project-accounts.iam.gserviceaccount.com
. - To enable Shield, provide the key to Reltio in the following format:
projects/{{projectId}}/locations/{{mainRegion}}/keyRings/{{keyRingId}}/cryptoKeys/{{keyId}} projects/{{projectId}}/locations/{{backupRegion}}/keyRings/{{keyRingId}}/cryptoKeys/{{keyId}}
Note: The original keys remain in your environment. What you share with Reltio are a reference to these keys, which we use to encrypt or decrypt. For example, a name or a unique identifier.