The data for all tenants on Google Cloud Platform (GCP) is encrypted with Reltio-managed keys by default. However, you can enable Reltio Shield as an add-on subscription to your Reltio Connected Data Platform Subscription. This enables you to bring your own keys (BYOK) to encrypt and protect your data, while also retaining ownership of them. We recommend you enable Reltio Shield when creating a new tenant. For existing tenants, you can enable Shield and switch to customer-managed keys. This requires data migration as it's not possible to change the keys for ane existing database due to GCP restrictions. The migration will take time depending on the size of your tenant.

Pre-requisites for creating keys

You must first obtain details about the main and backup regions as well as the special Google-managed service accounts for which you want to grant access.

Use the following endpoint to get these details:

GET /tenants/spanner/encryption/gcp/info

Response

{

   "accounts": [

       "service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com",

       "service-123456789012@gs-project-accounts.iam.gserviceaccount.com",

       "service-123456789012@dataflow-service-producer-prod.iam.gserviceaccount.com",

   ],

   "mainRegion": "us-central1",

   "backupRegion": "us-west1"

}

You must provide two Google Cloud KMS keys to Reltio — one for the database in the main region and another for backups in the backup region.

Create your own keys

You can create your own keys in Google Cloud Console, or using Google cloud CLI. For more information, see topic https://cloud.google.com/kms/docs/create-key#create-symmetric.

Before creating these keys, ensure that:

• The encryption key must be in a key ring that is located in the same region as the tenant's database. A global region will not fit with an encryption key in another region. For example, if the database is in us-central1, then the KMS key should be also in us-central1 region. You can check with our Customer Support for details about the region.
• The name of the key and key ring must be the same in both the regions.
• Assign the Cloud KMS CryptoKey Encrypter/Decrypter role to all accounts provided by the endpoint mentioned above for both keys. If you have any other custom role that has these permissions, assign the role instead.

  cloudkms.cryptoKeyVersions.useToDecrypt
                  cloudkms.cryptoKeyVersions.useToEncrypt
                  cloudkms.locations.get
                  cloudkms.locations.list
                  resourcemanager.projects.get

  For example, service-<project-id>@gcp-sa-spanner.iam.gserviceaccount.com and service-<project-id>@gs-project-accounts.iam.gserviceaccount.com.

• To enable Shield, provide the key to Reltio in the following format:

  projects/{{projectId}}/locations/{{mainRegion}}/keyRings/{{keyRingId}}/cryptoKeys/{{keyId}}
  projects/{{projectId}}/locations/{{backupRegion}}/keyRings/{{keyRingId}}/cryptoKeys/{{keyId}}
  

  Note: The original keys remain in your environment. What you share with Reltio are a reference to these keys, which we use to encrypt or decrypt. For example, a name or a unique identifier.