This page provides a list of Google Cloud services that offer integrations with Cloud KMS. These services generally fall under one of the following categories:
A Customer-managed encryption key (CMEK) integration allows you to encrypt the data at rest in that service using a Cloud KMS key that you own and manage. Data protected with a CMEK key cannot be decrypted without access to that key.
A CMEK-compliant service either does not store data, or only stores data for a short period of time, such as during batch processing. Such data is encrypted using an ephemeral key that only exists in memory and is never written to disk. When the data is no longer needed, the ephemeral key is flushed from memory, and the data can't ever be accessed again. The output of a CMEK-compliant service might be stored in a service that is integrated with CMEK, such as Cloud Storage.
Your applications can use Cloud KMS in other ways. For example, you can directly encrypt application data before transmitting or storing it.
To learn more about how data in Google Cloud is protected at rest and how customer-managed encryption keys (CMEK) work, see Customer-managed encryption keys (CMEK).
CMEK integrations
The following table lists services that integrate with Cloud KMS. All services in this list support software and hardware (HSM) keys. Products that integrate with Cloud KMS when using external Cloud EKM keys are indicated under EKM supported.
| Service | Protected with CMEK | EKM supported | Topic |
|---|---|---|---|
| AI Platform Training | Data on VM disks | No | Using customer-managed encryption keys |
| AlloyDB for PostgreSQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Anti Money Laundering AI | Data in AML AI instance resources | No | Encrypt data using customer-managed encryption keys (CMEK) |
| Application Integration | Data written to databases for application integration | No | Using customer-managed encryption keys |
| Artifact Registry | Data in repositories | Yes | Enabling customer-managed encryption keys |
| Backup for GKE | Data in Backup for GKE | Yes | About Backup for GKE CMEK encryption |
| BigQuery | Data in BigQuery | Yes | Protecting data with Cloud KMS keys |
| Bigtable | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Cloud Composer | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Data Fusion | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Functions | Data in Cloud Functions | Yes | Using customer-managed encryption keys |
| Cloud Logging | Data in the Log Router | Yes | Manage the keys that protect Log Router data |
| Cloud Logging | Data in Logging storage | Yes | Manage the keys that protect Logging storage data |
| Cloud Run | Container image | Yes | Using customer-managed encryption keys with Cloud Run |
| Cloud SQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Cloud Storage | Data in storage buckets | Yes | Using customer-managed encryption keys |
| Cloud Tasks | Task body and header at rest | Yes | Use customer-managed encryption keys |
| Cloud Workstations | Data on VM disks | Yes | Encrypt workstation resources |
| Compute Engine | Persistent disks | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Snapshots | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Custom images | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Machine images | Yes | Protecting resources with Cloud KMS keys |
| Contact Center AI Insights | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | MySQL migrations - data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL migrations - Data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL to AlloyDB migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Heterogeneous Migrations | Oracle to PostgreSQL data at rest | Yes | Use customer-managed encryption keys (CMEK) for continuous migrations |
| Dataflow | Pipeline state data | Yes | Using customer-managed encryption keys |
| Dataform (Preview) | Data in repositories | No | Use customer-managed encryption keys |
| Dataproc | Dataproc clusters data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc serverless data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc Metastore | Data at rest | Yes | Using customer-managed encryption keys |
| Datastream | Data in transit | No | Using customer-managed encryption keys (CMEK) |
| Dialogflow CX | Data at rest | No | Customer-managed encryption keys (CMEK) |
| Document AI | Data at rest and data in use | Yes | Customer-managed encryption keys (CMEK) |
| Eventarc | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Filestore | Data at rest | Yes | Encrypt data with customer-managed encryption keys |
| Firestore (Preview) | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Google Distributed Cloud Edge | Data on Edge nodes | Yes | Local storage security |
| Google Kubernetes Engine | Data on VM disks | Yes | Using customer-managed encryption keys (CMEK) |
| Google Kubernetes Engine | Application-layer secrets | Yes | Application-layer Secrets encryption |
| Looker (Google Cloud core) | Data at rest | Yes | Enable CMEK for Looker (Google Cloud core) |
| Memorystore for Redis | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Migrate to Virtual Machines (Preview) | Data migrated from VMware sources | Yes | Register the Migrate Connector as a Google Cloud source |
| Migrate to Virtual Machines (Preview) | Data migrated from AWS sources | Yes | Create an AWS source |
| Migrate to Virtual Machines (Preview) | Data migrated from Azure sources | Yes | Create an Azure source |
| Migrate to Virtual Machines (Preview) | Migrated disks | Yes | Configure the target for a migrated VM disk |
| Migrate to Virtual Machines (Preview) | Migrated VMs | Yes | Configure the target for a migrated VM |
| Pub/Sub | Data associated with topics | Yes | Configuring message encryption |
| Secret Manager | Secret payloads | Yes | Enable Customer-Managed Encryption Keys for Secret Manager |
| Secure Source Manager | Instances | Yes | Encrypt data with customer-managed encryption keys |
| Spanner | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Speaker ID (Restricted GA) | Data at rest | Yes | Using customer-managed encryption keys |
| Speech-to-Text | Data at rest | Yes | Using customer-managed encryption keys |
| Vertex AI | Data associated with resources | Yes | Using customer-managed encryption keys |
| Vertex AI Workbench managed notebooks | User data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench user-managed notebooks | Data on VM disks | No | Customer-managed encryption keys |
| Vertex AI Workbench instances | Data on VM disks | Yes | Customer-managed encryption keys |
| Workflows | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
CMEK-compliant services
The following table lists services that do not use customer-managed encryption keys (CMEKs) because they do not store data long term. For more information on why these services are considered CMEK compliant, see CMEK compliance.
| Service | Topic |
|---|---|
| Cloud Build | CMEK compliance in Cloud Build |
| Container Registry | Using a storage bucket protected with CMEK |
| Cloud Vision | CMEK compliance in Vision API |
| Storage Transfer Service | Customer-managed encryption keys |
Other integrations with Cloud KMS
These pages discuss other ways to use Cloud KMS with other Google Cloud services.
| Product | Topic |
|---|---|
| Any service | Encrypt application data before transmitting or storing it |
| Cloud Build | Encrypt resources before adding them to a build |