Customer-managed encryption keys (CMEK)

By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).

For more information about CMEK, see the CMEK guide in the Cloud Key Management Service documentation.

Protected data

Only Conversation data at-rest in a supported location can be protected with CMEKs.

Supported Locations

CMEK is available in all Agent Assist locations except global.


Only the following features are available for an Agent Assist supported location with CMEK enabled:

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

  • Be sure to select the location that you use for your Agent Assist data, otherwise, requests will fail.

Enable CMEK in Agent Assist

Before you create any Agent Assist data in a specific location, you can specify whether the data in this location will be protected by a customer-managed key. Configure your key at this time.


  1. Create an Agent Assist service account for your project with Google Cloud CLI. For more information, see gcloud services identity documentation.

    gcloud beta services identity create --project=PROJECT_ID
  2. To ensure that the service account will have permissions to encrypt and decrypt with your key, follow these steps to grant it permission to use the key: Cloud KMS CryptoKey Encrypter/Decrypter.

Configure a key for an Agent Assist location

  1. Use InitializeEncryptionSpec API to configure the key.

    You will need to provide the following variables:

    • PROJECT_ID: Your Google Cloud project ID.
    • LOCATION_ID: The location you chose to enable CMEK in Agent Assist.
    • KMS_KEY_RING: The key ring your KMS key was created in. (The location in the key ring, like projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING, must match the location where you're enabling CMEK.)
    • KMS_KEY_ID: The name of your KMS key that will be used to encrypt and decrypt Agent Assist data in the selected location.

    For example:

    curl -X POST \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \
        -H "Content-Type: application/json; charset=utf-8" \
        -d "{ encryption_spec: { kms_key: 'projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING/cryptoKeys/KMS_KEY_ID' } }" \

    You should receive a JSON response similar to the following:

      "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
  2. Use GetOperation API to check the long-running operation result.

    For example:

    curl -X GET \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \

Check CMEK Settings

Use GetEncryptionSpec API to check the encryption key configured for a location.

For example:

    curl -X GET \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \

Revoke keys

To revoke Agent Assist access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.

After key revocation the encrypted data will become inaccessible to Agent Assist and the service will no longer be in an operational state until the key permissions are reinstated.