This page explains how to use Cloud KMS customer-managed encryption keys in other Google Cloud services to secure your resources. For more information, see Customer-managed encryption keys (CMEK).
When a service supports CMEK, it's said to have a CMEK integration. Some services, such as GKE, have multiple CMEK integrations for protecting different types of data related to the service. For a list of services with CMEK integrations, see Enable CMEK for supported services on this page.
Before you begin
Before you can use Cloud KMS keys in other Google Cloud services, you must have a project resource to contain your Cloud KMS keys. We recommend using a separate project for your Cloud KMS resources that does not contain any other Google Cloud resources.
CMEK integrations
Prepare to enable CMEK integration
For the exact steps to enable CMEK, see the documentation for the relevant Google Cloud service. You can find a link to the CMEK documentation for each service in Enable CMEK for supported services on this page. For each service, you can expect to follow steps similar to the following:
Create a key ring or select an existing key ring. The key ring should be located as geographically near as possible to the resources you want to secure.
In the selected key ring, create a key or select an existing key. Ensure that the protection level, purpose, and algorithm for the key are appropriate for the resources you want to protect. This key is the CMEK key.
Get the resource ID for the CMEK key. You need this resource ID later.
Grant the CryptoKey Encrypter/Decrypter IAM role (
roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key to the service account for the service.
After you have created the key and assigned the required permissions, you can create or configure a service to use your CMEK key.
Use Cloud KMS keys with CMEK-integrated services
The following steps use Secret Manager as an example. For the exact steps to use a Cloud KMS CMEK key in a given service, locate that service in the list of CMEK-integrated services.
In Secret Manager, you can use a CMEK to protect data at rest.
In the Google Cloud console, go to the Secret Manager page.
To create a secret, click Create Secret.
In the Encryption section, select Use a customer-managed encryption key (CMEK).
In the Encryption key box do the following:
Optional: To use a key in another project, do the following:
- Click Switch project.
- Enter all or part of the project name in the search bar, then select the project.
- To view available keys for the selected project, click Select.
Optional: To filter available keys by location, key ring, name, or protection level, enter search terms in the filter bar.
Select a key from the list of available keys in the selected project. You can use the displayed location, key ring, and protection level details to be sure you choose the correct key.
If the key you want to use is not shown in the list, then click Enter key manually and enter the resource ID of the key
Finish configuring your secret, and then click Create secret. Secret Manager creates the secret and encrypts it using the specified CMEK key.
Enable CMEK for supported services
To enable CMEK, first locate the desired service in the following table. You can enter search terms in the field to filter the table. All services in this list support software and hardware (HSM) keys. Products that integrate with Cloud KMS when using external Cloud EKM keys are indicated in the EKM supported column.
Follow the instructions for each service you want to enable CMEK keys for.
| Service | Protected with CMEK | EKM supported | Topic |
|---|---|---|---|
| Agent Assist | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| AI Platform Training | Data on VM disks | No | Using customer-managed encryption keys |
| AlloyDB for PostgreSQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Anti Money Laundering AI | Data in AML AI instance resources | No | Encrypt data using customer-managed encryption keys (CMEK) |
| Apigee | Data at rest | No | Introduction to CMEK |
| Apigee API hub | Data at rest | Yes | Encryption |
| Application Integration | Data written to databases for application integration | No | Using customer-managed encryption keys |
| Artifact Registry | Data in repositories | Yes | Enabling customer-managed encryption keys |
| Backup for GKE | Data in Backup for GKE | Yes | About Backup for GKE CMEK encryption |
| BigQuery | Data in BigQuery | Yes | Protecting data with Cloud KMS keys |
| Bigtable | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Cloud Composer | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Data Fusion | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Healthcare API | Cloud Healthcare API datasets | Yes | Use customer-managed encryption keys (CMEK) |
| Cloud Logging | Data in the Log Router | Yes | Manage the keys that protect Log Router data |
| Cloud Logging | Data in Logging storage | Yes | Manage the keys that protect Logging storage data |
| Cloud Run | Container image | Yes | Using customer-managed encryption keys with Cloud Run |
| Cloud Run functions | Data in Cloud Run functions | Yes | Using customer-managed encryption keys |
| Cloud SQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Cloud Storage | Data in storage buckets | Yes | Using customer-managed encryption keys |
| Cloud Tasks | Task body and header at rest | Yes | Use customer-managed encryption keys |
| Cloud Workstations | Data on VM disks | Yes | Encrypt workstation resources |
| Colab Enterprise | Runtimes and notebook files | No | Use customer-managed encryption keys |
| Compute Engine | Persistent disks | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Snapshots | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Custom images | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Machine images | Yes | Protecting resources with Cloud KMS keys |
| Conversational Insights | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | MySQL migrations - data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL migrations - Data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL to AlloyDB migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Heterogeneous Migrations | Oracle to PostgreSQL data at rest | Yes | Use customer-managed encryption keys (CMEK) for continuous migrations |
| Dataflow | Pipeline state data | Yes | Using customer-managed encryption keys |
| Dataform | Data in repositories | Yes | Use customer-managed encryption keys |
| Dataproc | Dataproc clusters data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc serverless data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc Metastore | Data at rest | Yes | Using customer-managed encryption keys |
| Datastream | Data in transit | No | Using customer-managed encryption keys (CMEK) |
| Dialogflow CX | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Document AI | Data at rest and data in use | Yes | Customer-managed encryption keys (CMEK) |
| Eventarc Advanced (Preview) | Data at rest | No | Use customer-managed encryption keys (CMEK) |
| Eventarc Standard | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Filestore | Data at rest | Yes | Encrypt data with customer-managed encryption keys |
| Firestore | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Google Cloud Managed Service for Apache Kafka (Preview) | Data associated with topics | No | Configure message encryption |
| Google Cloud NetApp Volumes | Data at rest | No | Create a CMEK policy |
| Google Distributed Cloud | Data on Edge nodes | Yes | Local storage security |
| Google Kubernetes Engine | Data on VM disks | Yes | Using customer-managed encryption keys (CMEK) |
| Google Kubernetes Engine | Application-layer secrets | Yes | Application-layer Secrets encryption |
| Looker (Google Cloud core) | Data at rest | Yes | Enable CMEK for Looker (Google Cloud core) |
| Memorystore for Redis | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Migrate to Virtual Machines | Data migrated from VMware, AWS, and Azure sources | Yes | Use Customer-managed encryption keys (CMEK) with Migrate to Virtual Machines |
| Pub/Sub | Data associated with topics | Yes | Configuring message encryption |
| Secret Manager | Secret payloads | Yes | Enable Customer-Managed Encryption Keys for Secret Manager |
| Secure Source Manager | Instances | Yes | Encrypt data with customer-managed encryption keys |
| Spanner | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Speaker ID (Restricted GA) | Data at rest | Yes | Using customer-managed encryption keys |
| Speech-to-Text | Data at rest | Yes | Using customer-managed encryption keys |
| Vertex AI | Data associated with resources | Yes | Using customer-managed encryption keys |
| Vertex AI Agent Builder | Data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench managed notebooks | User data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench user-managed notebooks | Data on VM disks | No | Customer-managed encryption keys |
| Vertex AI Workbench instances | Data on VM disks | Yes | Customer-managed encryption keys |
| Workflows | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |