By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).
For more information about CMEK, see the CMEK guide in the Cloud Key Management Service (KMS) documentation.
Protected data
All Insights at-rest data in a supported location can be protected with CMEKs.
Supported Locations
CMEK is available in all Insights locations except global
.
Limitations
Currently, the following features are disabled for an Insights supported location with CMEK enabled:
- Dialogflow Runtime Integration
For features involving data egress to customer-owned instances of another Google Cloud product, please configure CMEK in the corresponding Google Cloud products.
- Upload audio with transcription: enable CMEK in Cloud Speech-to-Text
- Export conversation to BigQuery: enable CMEK on BigQuery table BigQuery
Create keys
To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:
- Be sure to select the location that you use for your Insights data, otherwise, requests will fail.
Enable CMEK in Insights
Before you create any Insights data in a specific location, you can specify whether the data in this location will be protected by a customer-managed key (i.e. enable CMEK). Configure your key at this time.
Prerequisites
Create an Insights service account for your project with gcloud. For more information, see gcloud services identity documentation.
gcloud beta services identity create --service=contactcenterinsights.googleapis.com --project=PROJECT_ID
Grant the CCAI CMEK service agent the Cloud KMS CryptoKey Encrypter/Decrypter role for your encryption key to ensure that the service agent will have permissions to encrypt and decrypt with your key. The email address for the service agent is:
service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com
Configure a key for an Insights location
Use InitializeEncryptionSpec API to configure the key.
You will need to provide the following variables:
PROJECT_ID
: your Google Cloud project IDLOCATION_ID
: the location you chose to enable CMEK in Insights.KMS_KEY_NAME
: the name of your KMS key that will be used to encrypt/decrypt Insights data in the selected location.- The location in the KMS key name (e.g.
projects/<project_id>/locations/<location_id>/keyRings/<key_ring>/cryptoKeys/<key_name>
) has to match the selected location that you want to enable CMEK. - You need to grant the access to this key in prerequisites step 2.
- The location in the KMS key name (e.g.
For example:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d '{ encryption_spec: { kms_key: 'KMS_KEY_NAME' } }' \ "https://contactcenterinsights.googleapis.com/v1/projects/ PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize"
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID" }
Use GetOperation API to check the long-running operation result.
For example:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
Check CMEK Settings
Use GetEncryptionSpec API to check the encryption key configured for a location.
For example:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec"
Revoke keys
To revoke Insights access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.