By default, Conversational Insights encrypts customer content at rest. Insights handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Insights. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Insights resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Protected data
All Insights at-rest data in a supported location can be protected with CMEKs.
Supported Locations
CMEK is available in all Insights locations except global
.
Limitations
The following features are disabled for an Insights supported location with CMEK enabled:
- Dialogflow Runtime Integration
For features involving data egress to customer-owned instances of another Google Cloud product, configure CMEK in the corresponding Google Cloud products.
- Upload audio with transcription: enable CMEK in Cloud Speech-to-Text
- Export conversation to BigQuery: enable CMEK on BigQuery table BigQuery
Create keys
To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:
- Be sure to select the location that you use for your Insights data, otherwise, requests will fail.
Enable CMEK in Insights
Before you create any Insights data in a specific location, you can specify whether the data in this location will be protected by a customer-managed key (i.e. enable CMEK). Configure your key at this time.
Prerequisites
Create an Insights service account for your project with Google Cloud. For more information, see Google Cloud services identity documentation.
gcloud beta services identity create --service=contactcenterinsights.googleapis.com --project=PROJECT_ID
Grant the CCAI CMEK service agent the Cloud KMS CryptoKey Encrypter/Decrypter role for your encryption key to ensure that the service agent will have permissions to encrypt and decrypt with your key. The email address for the service agent is:
service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com
Configure a key for an Insights location
Use InitializeEncryptionSpec API to configure the key.
You will need to provide the following variables:
PROJECT_ID
: your Google Cloud project IDLOCATION_ID
: the location you chose to enable CMEK in Insights.KMS_KEY_NAME
: the name of your KMS key that will be used to encrypt or decrypt Insights data in the selected location.- The location in the KMS key name (e.g.
projects/<project_id>/locations/<location_id>/keyRings/<key_ring>/cryptoKeys/<key_name>
) has to match the selected location that you want to enable CMEK. - You need to grant the access to this key in prerequisites step 2.
- The location in the KMS key name (e.g.
For example:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ encryption_spec: { kms_key: 'KMS_KEY_NAME' } }' \ "https://contactcenterinsights.googleapis.com/v1/projects/ PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize"
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID" }
Use GetOperation API to check the long-running operation result.
For example:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
Check CMEK Settings
Use GetEncryptionSpec API to check the encryption key configured for a location.
For example:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec"
Revoke keys
To revoke Insights access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.