Ensure boot disks for instances use CSEKs

Error: Boot disks for instances do not use CSEKs

Bridgecrew Policy ID: BC_GCP_GENERAL_2
Checkov Check ID: CKV_GCP_38
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Boot disks for instances do not use CSEKs


Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. Google Compute Engine encrypts all data at rest by default. Compute Engine handles and manages this encryption automatically, with no additional action required. When you provide your own encryption keys Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users that provide the correct key can use resources protected by a customer-supplied encryption key. Google does not store your keys on its servers and cannot access your protected data unless you provide the key. If you forget or lose your key Google is unable to recover the key or to recover any data encrypted with that key. To control and manage this encryption yourself, you must provide your own encryption keys.

We recommend you supply your own encryption keys for Google to use, at a minimum to encrypt boot disks for instances. This helps protect the Google-generated keys used to encrypt and decrypt your data.

Fix - Runtime

GCP Console

Currently there is no way to update the encryption of an existing disk.
Ensure you create new disks with Encryption set to Customer supplied.

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Compute Engine Disks.
  3. Click CREATE DISK.
  4. Set Encryption type to Customer supplied.
  5. In the dialog box, enter the Key.
  6. Select Wrapped key.
  7. Click Create.

CLI Command

In the gcloud compute tool, encrypt a disk, use the following command:
--csek-key-file flag during instance creation

If you are using an RSA-wrapped key, use the gcloud beta component and the following command:
gcloud (beta) compute instances create INSTANCE_NAME --csek-key-file <example-file.json>

To encrypt a standalone persistent disk, use the following command:
gcloud (beta) compute disks create DISK_NAME --csek-key-file <examplefile.json>

Fix - Buildtime


  • Resource: google_compute_disk

  • Field: disk_encryption_key

  • Resource: google_compute_instance

  • Argument: boot_disk:disk_encryption_key_raw

//Option 2
resource "google_compute_disk" "default" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-8-jessie-v20170523"
  physical_block_size_bytes = 4096
+  disk_encryption_key {
+    raw_key = <raw key>
+    kms_key_self_link = <key link>

//Option 2
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {
    disk_encryption_key_raw = <encryption key>