By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).
For more information about CMEK, see the CMEK guide in the Cloud Key Management Service documentation.
Protected data
Only Conversation data at-rest in a supported location can be protected with CMEKs.
Supported Locations
CMEK is available in all Agent Assist locations except global.
Limitations
Only the following features are available for an Agent Assist supported location with CMEK enabled:
Create keys
To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:
- Be sure to select the location that you use for your Agent Assist data, otherwise, requests will fail.
Enable CMEK in Agent Assist
Before you create any Agent Assist data in a specific location, you can specify whether the data in this location will be protected by a customer-managed key. Configure your key at this time.
Prerequisites
Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information, see gcloud services identity documentation.
gcloud beta services identity create --service=dialogflow.googleapis.com --project=PROJECT_ID
The service account will be created. It won't be returned in the create response, but will have the following format:
service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com
Grant the CCAI CMEK Service account the Cloud KMS CryptoKey Encrypter/Decrypter role to ensure that the service has permissions to encrypt and decrypt with your key.
gcloud kms keys add-iam-policy-binding KMS_KEY_ID \ --project=PROJECT_ID \ --location=LOCATION_ID \ --keyring=KMS_KEY_RING \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Configure a key for an Agent Assist location
Use InitializeEncryptionSpec API to configure the key.
You will need to provide the following variables:
PROJECT_ID: Your Google Cloud project ID.LOCATION_ID: The location you chose to enable CMEK in Agent Assist.KMS_KEY_RING: The key ring your KMS key was created in. (The location in the key ring, likeprojects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING, must match the location where you're enabling CMEK.)KMS_KEY_ID: The name of your KMS key that will be used to encrypt and decrypt Agent Assist data in the selected location.
For example:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "{ encryption_spec: { kms_key: 'projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING/cryptoKeys/KMS_KEY_ID' } }" \ "https://LOCATION_ID-dialogflow.googleapis.com/v2beta1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize"You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID" }Use GetOperation API to check the long-running operation result.
For example:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://LOCATION_ID-dialogflow.googleapis.com/v2beta1/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
Check CMEK Settings
Use GetEncryptionSpec API to check the encryption key configured for a location.
For example:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://LOCATION_ID-dialogflow.googleapis.com/v2beta1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec"
Revoke keys
To revoke Agent Assist access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.
After key revocation the encrypted data will become inaccessible to Agent Assist and the service will no longer be in an operational state until the key permissions are reinstated.