Skip to main content

Remediation

Currently there is no way to update the encryption of an existing disk. Therefore you should create a new disk with Encryption set to Customer supplied.

From Google Cloud Console​

  1. Go to Compute Engine Disks by visiting: https://console.cloud.google.com/compute/disks.
  2. Click CREATE DISK.
  3. Set Encryption type to Customer supplied,
  4. Provide the Key in the box.
  5. Select Wrapped key.
  6. Click Create.

From Google Cloud CLI​

In the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation. If you are using an RSA-wrapped key, use the gcloud beta component:

        gcloud compute instances create <INSTANCE_NAME> --csek-key-file <example-file.json>

To encrypt a standalone persistent disk:

        gcloud compute disks create <DISK_NAME> --csek-key-file <example-file.json>