Customer-managed encryption keys (CMEK)

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google.

If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for Document AI. Instead of Google managing the encryption keys that protect your data, your Document AI processor is protected using a key that you control and manage in Cloud Key Management Service (KMS).

This guide describes CMEK for Document AI. For more information about CMEK in general, including when and why to enable it, see the Cloud Key Management Service documentation.

Using CMEK

Encryption settings are available when you create a processor. To use CMEK, check the CMEK box and select a key as shown below.

The CMEK key is used for all data associated with the processor, and its child resources. All customer-related data that is sent to the processor is automatically encrypted with the provided key before writing to disk.

Once a processor has been created, you cannot change its encryption settings. To use a different key, you must create a new processor.

CMEK supported resources

When storing any resource to disk, if any customer data is stored as part of the resource, Document AI first encrypts the contents using the CMEK key.

Resource Material Encrypted
Processor N/A - no user data
ProcessorVersion schema
HumanReviewConfig validation_criteria, labeling_schema, review_instructions

CMEK supported APIs

Method Encryption
ProcessDocument N/A - no data saved to disk.
BatchProcessDocuments Data is temporarily stored on disk and encrypted using an ephemeral key (see CMEK compliance).
ReviewDocument Documents pending review are stored in a Cloud Storage bucket encrypted using the provided KMS/CMEK key.

CMEK and Cloud Storage

APIs, such as batchProcess and reviewDocument, can read from and write to Cloud Storage buckets.

Any data written to Cloud Storage by Document AI will be encrypted using the bucket's default encryption key, which can be different than your processor's CMEK key.

For more information, see the CMEK documentation for Cloud Storage.