Compatible services

This page provides a list of Google Cloud services that offer integrations with Cloud KMS. These services generally fall under one of the following categories:

  • A Customer-managed encryption key (CMEK) integration allows you to encrypt the data at rest in that service using a Cloud KMS key that you own and manage. Data protected with a CMEK key cannot be decrypted without access to that key.

  • A CMEK-compliant service either does not store data, or only stores data for a short period of time, such as during batch processing. Such data is encrypted using an ephemeral key that only exists in memory and is never written to disk. When the data is no longer needed, the ephemeral key is flushed from memory, and the data can't ever be accessed again. The output of a CMEK-compliant service might be stored in a service that is integrated with CMEK, such as Cloud Storage.

  • Your applications can use Cloud KMS in other ways. For example, you can directly encrypt application data before transmitting or storing it.

To learn more about how data in Google Cloud is protected at rest and how customer-managed encryption keys (CMEK) work, see Customer-managed encryption keys (CMEK).

CMEK integrations

The following table lists services that integrate with Cloud KMS. All services in this list support software and hardware (HSM) keys. Products that integrate with Cloud KMS when using external Cloud EKM keys are indicated under EKM supported.

Service Protected with CMEK EKM supported Topic
Agent Assist Data at rest Yes Customer-managed encryption keys (CMEK)
AI Platform Training Data on VM disks No Using customer-managed encryption keys
AlloyDB for PostgreSQL Data written to databases Yes Using customer-managed encryption keys
Anti Money Laundering AI Data in AML AI instance resources No Encrypt data using customer-managed encryption keys (CMEK)
Apigee Data at rest No Introduction to CMEK
Apigee API hub Data at rest Yes Encryption
Application Integration Data written to databases for application integration No Using customer-managed encryption keys
Artifact Registry Data in repositories Yes Enabling customer-managed encryption keys
Backup for GKE Data in Backup for GKE Yes About Backup for GKE CMEK encryption
BigQuery Data in BigQuery Yes Protecting data with Cloud KMS keys
Bigtable Data at rest Yes Customer-managed encryption keys (CMEK)
Cloud Composer Environment data Yes Using customer-managed encryption keys
Cloud Data Fusion Environment data Yes Using customer-managed encryption keys
Cloud Healthcare API Cloud Healthcare API datasets Yes Use customer-managed encryption keys (CMEK)
Cloud Logging Data in the Log Router Yes Manage the keys that protect Log Router data
Cloud Logging Data in Logging storage Yes Manage the keys that protect Logging storage data
Cloud Run Container image Yes Using customer-managed encryption keys with Cloud Run
Cloud Run functions Data in Cloud Run functions Yes Using customer-managed encryption keys
Cloud SQL Data written to databases Yes Using customer-managed encryption keys
Cloud Storage Data in storage buckets Yes Using customer-managed encryption keys
Cloud Tasks Task body and header at rest Yes Use customer-managed encryption keys
Cloud Workstations Data on VM disks Yes Encrypt workstation resources
Colab Enterprise Runtimes and notebook files No Use customer-managed encryption keys
Compute Engine Persistent disks Yes Protecting resources with Cloud KMS keys
Compute Engine Snapshots Yes Protecting resources with Cloud KMS keys
Compute Engine Custom images Yes Protecting resources with Cloud KMS keys
Compute Engine Machine images Yes Protecting resources with Cloud KMS keys
Conversational Insights Data at rest Yes Customer-managed encryption keys (CMEK)
Database Migration Service Homogeneous Migrations MySQL migrations - data written to databases Yes Using customer-managed encryption keys (CMEK)
Database Migration Service Homogeneous Migrations PostgreSQL migrations - Data written to databases Yes Using customer-managed encryption keys (CMEK)
Database Migration Service Homogeneous Migrations PostgreSQL to AlloyDB migrations - Data written to databases Yes About CMEK
Database Migration Service Heterogeneous Migrations Oracle to PostgreSQL data at rest Yes Use customer-managed encryption keys (CMEK) for continuous migrations
Dataflow Pipeline state data Yes Using customer-managed encryption keys
Dataform Data in repositories Yes Use customer-managed encryption keys
Dataproc Dataproc clusters data on VM disks Yes Customer-managed encryption keys
Dataproc Dataproc serverless data on VM disks Yes Customer-managed encryption keys
Dataproc Metastore Data at rest Yes Using customer-managed encryption keys
Datastream Data in transit No Using customer-managed encryption keys (CMEK)
Dialogflow CX Data at rest Yes Customer-managed encryption keys (CMEK)
Document AI Data at rest and data in use Yes Customer-managed encryption keys (CMEK)
Eventarc Advanced (Preview) Data at rest No Use customer-managed encryption keys (CMEK)
Eventarc Standard Data at rest Yes Use customer-managed encryption keys (CMEK)
Filestore Data at rest Yes Encrypt data with customer-managed encryption keys
Firestore Data at rest Yes Use customer-managed encryption keys (CMEK)
Google Cloud Managed Service for Apache Kafka Data associated with topics Yes Configure message encryption
Google Cloud NetApp Volumes Data at rest No Create a CMEK policy
Google Distributed Cloud Data on Edge nodes Yes Local storage security
Google Kubernetes Engine Data on VM disks Yes Using customer-managed encryption keys (CMEK)
Google Kubernetes Engine Application-layer secrets Yes Application-layer Secrets encryption
Looker (Google Cloud core) Data at rest Yes Enable CMEK for Looker (Google Cloud core)
Memorystore for Redis Data at rest Yes Customer-managed encryption keys (CMEK)
Migrate to Virtual Machines Data migrated from VMware, AWS, and Azure sources Yes Use Customer-managed encryption keys (CMEK) with Migrate to Virtual Machines
Pub/Sub Data associated with topics Yes Configuring message encryption
Secret Manager Secret payloads Yes Enable Customer-Managed Encryption Keys for Secret Manager
Secure Source Manager Instances Yes Encrypt data with customer-managed encryption keys
Spanner Data at rest Yes Customer-managed encryption keys (CMEK)
Speaker ID (Restricted GA) Data at rest Yes Using customer-managed encryption keys
Speech-to-Text Data at rest Yes Using customer-managed encryption keys
Vertex AI Data associated with resources Yes Using customer-managed encryption keys
Vertex AI Agent Builder Data at rest No Customer-managed encryption keys
Vertex AI Workbench managed notebooks User data at rest No Customer-managed encryption keys
Vertex AI Workbench user-managed notebooks Data on VM disks No Customer-managed encryption keys
Vertex AI Workbench instances Data on VM disks Yes Customer-managed encryption keys
Workflows Data at rest Yes Use customer-managed encryption keys (CMEK)

CMEK-compliant services

The following table lists services that do not use customer-managed encryption keys (CMEKs) because they do not store data long term. For more information on why these services are considered CMEK compliant, see CMEK compliance.

Other integrations with Cloud KMS

These pages discuss other ways to use Cloud KMS with other Google Cloud services.

Product Topic
Any service Encrypt application data before transmitting or storing it
Cloud Build Encrypt resources before adding them to a build
Sensitive Data Protection Create a wrapped key