I am using Spring boot with GCP KMS to encrypt some sensitive data. I am using symmetric encryption to encrypt the data before storing that to GCP cloud storage bucket in us-east-1 region. To emphasize, I am using application level encryption inside Spring boot App, on top of what GCP provides at bucket level.
Following a similar Java code mentioned here - https://cloud.google.com/kms/docs/encrypt-decrypt#kms-encrypt-symmetric-java
We are now working on setting up a DR environment in us-central and want all the data in GCP bucket to be available in DR environment. Based on documentation, GCP buckets can be multi regional, so that's not a problem, and GCP will copy my encrypted data to us-central region.
My challenge is the KMS key. I read that KMS keys are not multi-regional..so my understanding is that the key I am using in us-east is not available in us-central. So, in case of actual disaster in us-east, my spring boot app wont be able to decrypt my data in us-central region, because key that was used to encrypt data was from us-east, and this same key is no longer available in us-central region of GCP KMS.
How to handle this type of scenario with Google cloud? Do I need to use my own AES key in this case and import that to GCP KMS for encryption/decryption?