Enable customer-managed encryption keys

Customer managed encryption keys (CMEK) allow you to control the encryption keys used to protect your Google Cloud data at rest. This article explains how to set up and manage CMEK in Ads Data Hub.

Ads Data Hub encrypts data at rest using Google managed keys. Unless you have specific requirements necessitating the usage of CMEK, Google’s default encryption is your best choice.

In order to use CMEK, you must:

  • Use Cloud Key Management Service (KMS).
  • Have previously configured an admin project and updated to the new service account.

Learn more about CMEK

Enable CMEK

  1. On the Cloud KMS page, create a symmetric key.
    1. You can create the key in any Google Cloud project.
    2. Ensure that you create your key under a compatible Cloud KMS location. Per Cloud KMS guidelines, using the “global” region is not advised due to potential performance limitations. If you can’t remember your region, contact Ads Data Hub support.
      ADH regionCloud KMS locations
      USUS
      EUeurope
      asia-northeast1asia, asia-northeast1
      australia-southeast1australia-southeast1
  2. On the Cloud Identity and Access Management (IAM) page, grant the Ads Data Hub service account the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypter). Alternatively, permission the Ads Data Hub service account directly to the key on the Cloud KMS page.
  3. In the Ads Data Hub UI:
    1. Navigate to the Account settings subtab under Settings.
    2. Under “Customer-managed encryption”, click Edit.
    3. Toggle “Customer-managed encryption” to “on”.
    4. Paste the key resource ID. Note: this must be the entire resource ID for the key, not a specific version. Learn how to get a Cloud KMS resource ID
    5. Click Save.

Manage keys

Rotate a key

Rotating keys is a common security practice. Find instructions on how to rotate keys on the Cloud KMS page here.

Ads Data Hub doesn't automatically rotate the encryption key when the Cloud KMS key associated with the account rotates. Existing tables continue to use the key version with which they were created. New tables use the current key version.

Change keys

You can change to a new key instead of rotating an existing key. This is useful when you need to destroy a key, or make significant changes to your key management; such as changing to a different protection level.

To switch to a new key, follow the instructions under Enable CMEK. Caution: modifying or destroying the previous key before the update completes may result in permanent loss of data.

Revoke permissions, disable, or destroy a key

Follow instructions in the Google Cloud documentation for the following actions:

  • Revoke the Ads Data Hub service account’s permissions.
    • This action takes effect immediately. You won’t be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.
  • Disable a key.
    • This action may take up to 3 hours to appear in Ads Data Hub. Until then, you can continue to run queries using the disabled key in Ads Data Hub.
  • Destroy a key.
    • Important: Disable CMEK before destroying your key. If you don’t, you won’t be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.

Disable CMEK

It’s important that you disable CMEK prior to deleting active keys. Otherwise, you will lose access to data that was encrypted using your deleted keys.

To disable CMEK:

  1. Navigate to Settings > Account settings in Ads Data Hub.
  2. Under “Customer-managed encryption”, click Edit.
  3. Toggle “Customer-managed encryption” to “off”.
  4. Click Save.