Try Gemini 1.5 Pro, our most advanced multimodal model in Vertex AI, and see what you can build with a 1M token context window. Try Gemini 1.5 Pro, our most advanced multimodal model in Vertex AI, and see what you can build with a 1M token context window.

Customer-managed encryption keys (CMEK)

By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).

For more information about CMEK, see the CMEK guide in the Cloud Key Management Service (KMS) documentation.

Protected data

All Dialogflow CX agent data-at-rest can be protected with CMEKs.

Limitations

Currently, Analytics is disabled for agents with CMEK enabled.
Currently, key rotation is not supported for data store agents. Dialogflow CX agents without data stores do support key rotation. Re-encryption of previously encrypted data with a new key version is not supported in either scenario.
The global location is not supported.
One key should be used per project location.
In order to restore an agent with CMEK enabled, you must choose the Cloud Storage option.
Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

Be sure to select the location that you use for your agent, otherwise, requests will fail.
Dialogflow does not support key rotation. When you create the key, the rotation period has to be set to Never.

Configure an agent to use your keys

When you create an agent, you can specify the agent location and whether the agent will use a Google-managed or customer-managed key. Select your key at this time.

Configure your service account or user account

Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information, see gcloud services identity documentation.
```
gcloud beta services identity create --service=dialogflow.googleapis.com --project=PROJECT_ID
```
The service account will be created. It won't be returned in the create response, but will have the following format:
```
service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com
```

Grant the CCAI CMEK Service account the Cloud KMS CryptoKey Encrypter/Decrypter role to ensure that the service has permissions to encrypt and decrypt with your key.

gcloud kms keys add-iam-policy-binding KMS_KEY_ID \
--project=PROJECT_ID \
--location=LOCATION_ID \
--keyring=KMS_KEY_RING \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Access control

Security settings