Sign inTry Free

Customer Managed Encryption Keys with GCP Key Management Service

To use Customer Managed Encryption Keys (CMEK) with Google Cloud Platform (GCP) Key Management Service (KMS) in SingleStore Helios, follow these steps:

  1. Create a Customer-Managed Key

    • In your GCP console, navigate to the Key Management page.

    • Create a new key ring if you do not already have one.

    • Within the key ring, create a new key.

    • In the key creation process, specify details such as the key purpose, algorithm, and key protection level.

    • Add labels to the key for easy identification (for example, "SingleStore Helios").

  2. Assign Permissions

    • Define the key's administrative permissions. Assign a user or role that will manage the lifecycle of this key. Typically, this would be an administrative role within your GCP account.

    • Define the key usage permissions by adding the GCP service account used by SingleStore to access the KMS. This allows SingleStore to perform encryption and decryption operations using this key.

  3. Enable the Key in SingleStore

    • Create a support ticket with SingleStore to enable the CMEK feature for your SingleStore Helios cluster. Provide details about the key created, such as its name and associated key ring.

    • SingleStore support will notify you once the CMEK is enabled for your cluster

  4. Key Policy Configuration

    • Review and edit the key policy in GCP to ensure it includes the necessary permissions for SingleStore's service account. The required actions typically include kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey.

  5. Key Rotation and Management

    • Set up key rotation as per your organization’s policy. To enhance security, you can configure automatic key rotation within the GCP Key Management Service.

    • Regularly review the permissions and access logs for the key to ensure there are no unauthorized accesses or changes.

For further information about CMEK refer Customer Managed Encryption Keys.

Last modified: April 14, 2025

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK