Migrating Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service
This document describes migrating key management and encryption keys from a Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service (CDSPaaS) using Google Cloud External Key Manager (EKM). To complete the migration you must create new keys in EKM which use CDSPaaS and re encrypt the use case which had previously been encrypted by the Key Broker for Google Cloud EKM.
To migrate from a Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service
-
Create a Google Cloud EKM endpoint and Key URI in CDSPaaS. For more information about creating and managing EKM resources in CDSPaaS see Google Cloud External Key Manager Resources.
-
Use the Key URI to create an externally managed key on Google Cloud. For more information about creating an externally managed key see Manually managed external keys in the Google Cloud Documentation.
-
Update your use case which had previously been encrypted by the Key Broker for Google Cloud EKM to be encrypted by the new externally managed key. For more information about updating your use case to use the new externally managed key see Services that support CMEK with Cloud EKM in the Google Cloud Documentation.
The Google Cloud Documentation states that Changing the default key for a project and Changing the default key for a dataset does not update the key for existing tables. You must manually update the keys for existing tables inside of a project or dataset.
Note
Your use case service account requires the
Role: Cloud KMS CryptoKey Encrypter/Decrypter
permission to use externally managed keys. For more information see Permissions and Roles in the Google Cloud Documentation. -
Delete the Key Broker for Google Cloud EKM. See Removing the service for more information.