Skip to main content

A GCP persistent disk is encrypted with a key specified in plain text

  • GG_ID: GG_IAC_0018
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: DATA, SECRET
  • Providers: Google Cloud Provider
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: True


The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.


The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.

Remediation guidelines#

The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.

External documentation#