Customer-managed encryption keys (CMEK)

By default, Conversational Insights encrypts customer content at rest. Insights handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Insights. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Insights resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).

For more information about CMEK, see the CMEK guide in the Cloud Key Management Service (KMS) documentation.

Protected data

All Insights at-rest data in a supported location can be protected with CMEKs.

Supported Locations

CMEK is available in all Insights locations except global.

Limitations

The following features are disabled for an Insights supported location with CMEK enabled:

  • Dialogflow Runtime Integration

For features involving data egress to customer-owned instances of another Google Cloud product, configure CMEK in the corresponding Google Cloud products.

  • Upload audio with transcription: enable CMEK in Cloud Speech-to-Text
  • Export conversation to BigQuery: enable CMEK on BigQuery table BigQuery

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

  • Be sure to select the location that you use for your Insights data, otherwise, requests will fail.

Enable CMEK in Insights

Before you create any Insights data in a specific location, you can specify whether the data in this location will be protected by a customer-managed key (i.e. enable CMEK). Configure your key at this time.

Prerequisites

  1. Create an Insights service account for your project with Google Cloud. For more information, see Google Cloud services identity documentation.

    gcloud beta services identity create --service=contactcenterinsights.googleapis.com --project=PROJECT_ID
    
  2. Grant the CCAI CMEK service agent the Cloud KMS CryptoKey Encrypter/Decrypter role for your encryption key to ensure that the service agent will have permissions to encrypt and decrypt with your key. The email address for the service agent is:

    service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com

Configure a key for an Insights location

  1. Use InitializeEncryptionSpec API to configure the key.

    You will need to provide the following variables:

    • PROJECT_ID: your Google Cloud project ID
    • LOCATION_ID: the location you chose to enable CMEK in Insights.
    • KMS_KEY_NAME: the name of your KMS key that will be used to encrypt or decrypt Insights data in the selected location.
      • The location in the KMS key name (e.g. projects/<project_id>/locations/<location_id>/keyRings/<key_ring>/cryptoKeys/<key_name>) has to match the selected location that you want to enable CMEK.
      • You need to grant the access to this key in prerequisites step 2.

    For example:

    curl -X POST \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \
        -H "Content-Type: application/json; charset=utf-8" \
        -d '{ encryption_spec: { kms_key: 'KMS_KEY_NAME' } }' \
        "https://contactcenterinsights.googleapis.com/v1/projects/
    PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize"
    

    You should receive a JSON response similar to the following:

    {
      "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
    }
    
  2. Use GetOperation API to check the long-running operation result.

    For example:

    curl -X GET \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \ 
        "https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
    

Check CMEK Settings

Use GetEncryptionSpec API to check the encryption key configured for a location.

For example:

  curl -X GET \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      "https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec"

Revoke keys

To revoke Insights access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.