Support 'customer supplied encryption keys' in the GCS backend #16936
Conversation
https://cloud.google.com/storage/docs/encryption#customer-supplied GCS state created using customer supplied encryption keys can only be read or modified using the same key.
|
Thanks @paddycarver ! |
|
@negz Does this support customer-managed keys for use with KMS ? Does one have to generate the key using e.g Python ? It would be nice to have state encrypted using KMS crypto keys which are generated from a client secret. |
|
@ocervell I made this change almost two years ago and no longer actively use Terraform, so I'm afraid I'm not up to speed with the interplay between customer supplied GCS keys and KMS. I recall thinking that it would be nice to store customer managed keys in KMS, but we decided this first implementation would be simpler. There's some context on that decision process in #16836. |
@ocervell Ah - I see customer managed keys are distinct from customer supplied keys, so no that is not supported by this change. I don't think managed keys existed when I wrote it, but it seems like it would be a great addition now. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Currently all files in GCS are transparently encrypted at rest using Google's keys, and IAM/ACL can be used to restrict access to GCS buckets. Allowing state files in GCS to be encrypted with a custom key provides an additional layer of defense around sensitive Terraform state.
Objects created with a customer supplied encryption key can only be read when the key used for creation is passed in with the read request. See #16836 for further details.