By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google.
If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for Document AI. Instead of Google managing the encryption keys that protect your data, your Document AI processor is protected using a key that you control and manage in Cloud Key Management Service (KMS).
This guide describes CMEK for Document AI. For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.
Encryption settings are available when you create a processor. To use CMEK, check the CMEK box and select a key as shown below.
The CMEK key is used for all data associated with the processor, and its child resources. All customer-related data that is sent to the processor is automatically encrypted with the provided key before writing to disk.
Once a processor has been created, you cannot change its encryption settings. To use a different key, you must create a new processor.
CMEK supported resources
When storing any resource to disk, if any customer data is stored as part of the resource, Document AI first encrypts the contents using the CMEK key.
|Processor||N/A - no user data|
CMEK supported APIs
|ProcessDocument||N/A - no data saved to disk.|
|BatchProcessDocuments||Data is temporarily stored on disk and encrypted using an ephemeral key (see CMEK compliance).|
|ReviewDocument||Documents pending review are stored in a Cloud Storage bucket encrypted using the provided KMS/CMEK key.|
CMEK and Cloud Storage
Any data written to Cloud Storage by Document AI will be encrypted using the bucket's default encryption key, which can be different than your processor's CMEK key.
For more information, see the CMEK documentation for Cloud Storage.