Forcing a custom disk encryption on Google's Cloud KVM

Display-Server

Google cloud services (computing instance) offer encryption by default for disk storage, the customer can provide its own key with the feature customer supplied encryption (detailed here also).

How can we apply a disk encryption with cryptsetup without giving the encryption key to google?

On Linux, when using an encrypted disk (luks), it is unlocked at boot time with a password the idea here is to encrypt the disk with cryptsetup on top of the google system (default encryption) and get an earlier access to the instance to be able to unlock the drive at the boot time. This can be implemented with the help of the remote serial console feature (note that an opensuse VM was used for this howto, the different steps should not differ for other distros).

Con:

Pro:

Implementation summary:


Current google implementation

<div style="position: relative; margin: 1.5em 0; padding-bottom: 56.25%;">
    <iframe style="position: absolute;" src="https://www.youtube.com/embed/Svz2KHE1mdM" width="100%" height="100%" frameborder="0" allowfullscreen></iframe>
</div>

How to encrypt the disk of a VM (gcloud, cryptsetup):

Other related posts

How does Linux's display work?
How to scale the desktop's resolution?