Customer-managed encryption keys (CMEK)

By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).

For more information about CMEK, see the CMEK guide in the Cloud Key Management Service (KMS) documentation.

Protected data

All Dialogflow CX agent data-at-rest and data-in-use can be protected with CMEKs.


Currently, the following features are disabled for an agent with CMEK enabled:

  • Versions
  • Conversation history
  • Speech adaptation data

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

  • Be sure to select the location that you use for your agent, otherwise, requests will fail.
  • Dialogflow does not support key rotation. When you create the key, the rotation period has to be set to Never.

Configure an agent to use your keys

When you create an agent, you can specify the agent location and whether the agent will use a Google-managed or customer-managed key. Select your key at this time. You cannot change encryption key settings for a location once it has been specified. In order to change a location, you must create a new project with the desired location and import existing agents to the new project.