Cloud SQL 跨区域副本,使用 CMEK 加密
Cloud SQL cross-region Replica with CMEK encryption
云 SQL 加密文档 (https://cloud.google.com/sql/docs/sqlserver/cmek#when_does_interact_with_cmek_keys) 状态:
Read replicas from a CMEK-enabled instance inherit CMEK encryption with the same Cloud KMS key as the primary instance.
同时:
Note: The Cloud KMS key ring location must match the region where you want to create a Cloud SQL instance. A multi-region or global region key will not work. A request for creating a Cloud SQL instance fails if the regions don't match.
从这两条信息可以得出结论,跨区域副本是不可能的
与 CMEK 加密一起使用。
但是,我们通过以下方式对此进行了测试:
- 在 europe-west3 中创建 KMS 密钥环 + 密钥,并使用该密钥在 europe-west3 中创建 Cloud SQL 主实例
- 在 europe-west2 中创建 KMS 密钥环 + 密钥,并使用来自 europe-west2 的密钥(上述主副本)在 europe-west2 中创建 Cloud SQL 副本
我们可以依靠我们在实践中的实验室吗?文档不准确吗?
答案可以在 different doc page:
上找到
When you create a read replica of a Cloud SQL instance in the same region, it inherits the same customer-managed encryption key as the parent instance. If you create a read replica in a different region, you are given a new list of customer-managed encryption keys to select from. Each region uses its own set of keys.
云 SQL 加密文档 (https://cloud.google.com/sql/docs/sqlserver/cmek#when_does_interact_with_cmek_keys) 状态:
Read replicas from a CMEK-enabled instance inherit CMEK encryption with the same Cloud KMS key as the primary instance.
同时:
Note: The Cloud KMS key ring location must match the region where you want to create a Cloud SQL instance. A multi-region or global region key will not work. A request for creating a Cloud SQL instance fails if the regions don't match.
从这两条信息可以得出结论,跨区域副本是不可能的 与 CMEK 加密一起使用。
但是,我们通过以下方式对此进行了测试:
- 在 europe-west3 中创建 KMS 密钥环 + 密钥,并使用该密钥在 europe-west3 中创建 Cloud SQL 主实例
- 在 europe-west2 中创建 KMS 密钥环 + 密钥,并使用来自 europe-west2 的密钥(上述主副本)在 europe-west2 中创建 Cloud SQL 副本
我们可以依靠我们在实践中的实验室吗?文档不准确吗?
答案可以在 different doc page:
上找到When you create a read replica of a Cloud SQL instance in the same region, it inherits the same customer-managed encryption key as the parent instance. If you create a read replica in a different region, you are given a new list of customer-managed encryption keys to select from. Each region uses its own set of keys.