Hold Your Own Key (HYOK) with GCP

1. Enable advanced data encryption under company settings → settings and click on save changes button on bottom right (appears once you check box advanced data encryption)

   

2. Now click on configure encryption button which should take you to the following screen with three options:

   

3. Select option b from step 2 and then click Next to select the location where your root key will be stored:

   

4. Select Google Cloud Key Management and then select on Guide me through creating a new key for wrapping. Click next to view and copy the configuration code that you will have to run on GCP cloud shell.

   

5. Copy the code. You can adjust the LOCATION and KEYRING_ID values to fit your needs.

   

6. Now paste the code on cloud shell and run it to generate an ARN string of the key alias.

   

7. Copy the ARN string, paste it into onboarding page, and then apply the changes. Once you see the success message you should be all set and encryption policy is now is use.