Google Cloud NetApp Volumes: Announcing Customer-Managed Encryption Keys (CMEK) for integrated backup

sudhirjain · March 5, 2026, 3:42pm

Author:

Arvind Ramakrishnan, Sr. Product Manager
Sudhir Jain, Product Manager

We are excited to announce the availability of Customer-managed encryption keys (CMEK) for the integrated backup feature in Google Cloud NetApp Volumes (GCNV). This enhancement significantly strengthens your data security posture by ensuring your backups are protected with your own keys, further expanding the comprehensive security features of GCNV.

Enhanced security posture with CMEK for backup

The integration of CMEK with the integrated backup feature provides a critical layer of control and compliance, especially for organizations with stringent security and regulatory requirements.

Key benefits

Customer control: You retain full control over the encryption keys used to protect your backup data.
Compliance: Meets organizational compliance requirements that mandate the use of customer-managed keys for data at rest.
Support for CMEK organization policy: This feature seamlessly integrates with your existing Google Cloud organizational policies, allowing you to enforce the use of CMEK across your backup resources, which is a powerful way to govern encryption across your project.

CMEK organization policy

CMEK organization policy is a fundamental security control that you can use to govern the encryption of your NetApp Volumes resources. By utilizing this policy, you can:

Require CMEKs for all NetApp Volumes resources: Ensure that all new backups are created with a CMEK based encryption..
Restrict Cloud KMS keys for a NetApp Volumes project: Limit the keys that can be used for backup encryption to a specific set of keys within your project.

How to configure CMEK for backup?

Implementing CMEK for your backups is done by configuring your Backup Vault. The policy you set on the Backup Vault determines the encryption for all backups stored within it.

To configure a CMEK-enabled Backup Vault, you must first create a CMEK policy that specifies the Google Cloud Key Management Service (KMS) key you wish to use.

Create a CMEK policy

Before configuring the Backup Vault, create a CMEK policy:

Create the CMEK Policy in the same region as the backup vault.
For cross-region backups, the CMEK Policy needs to be created at the destination region.
Point the CMEK policy to your Cloud KMS key.

Configure the Backup Vault

Once the CMEK policy is created, you can use it to create your Backup Vault.

When creating a Backup Vault, the following parameters are crucial for CMEK configuration:


Setting
Customer-managed encryption key settings
Service level

This process ensures that all data entering this Backup Vault is automatically encrypted using your specified CMEK, providing immediate enhanced data protection.

CMEK for GCNV backups, significantly enhances critical data security by granting customers direct control over encryption of their backups. This control reinforces security posture, meets demanding compliance standards, and offers peace of mind.

Act now: Configure Customer-Managed Encryption Keys (CMEK) on your Backup Vaults today to unlock enhanced data security and uplevel your security posture!

For more details on key management, backup considerations, and best-practices please refer to our product documentation.

Olukolade_Daramola · March 5, 2026, 5:12pm

Great work

mdniamul · March 12, 2026, 1:43pm