Using Cloud KMS with other products

This topic provides a list of Google Cloud services that offer integrations with Cloud KMS. These services generally fall under one of the following categories:

  • A Customer-managed encryption key (CMEK) integration allows you to encrypt that service's data at rest using a Cloud KMS key that you own and manage. Data protected with a CMEK key cannot be decrypted without access to that key.

  • A CMEK-compliant service either does not store data, or only stores data for a short period of time, such as during batch processing. Such data is encrypted using an ephemeral key that only exists in memory and is never written to disk. When the data is no longer needed, the ephemeral key is flushed from memory, and the data can't ever be accessed again. The output of a CMEK-compliant service might be stored in a service that is integrated with CMEK, such as Cloud Storage.

  • Your applications can use Cloud KMS in other ways. For example, you can directly encrypt application data before transmitting or storing it.

To learn more about how data in Google Cloud is protected at rest and how customer-managed encryption keys (CMEK) work, refer to Customer-managed encryption keys (CMEK).

CMEK integrations

Service Protected with CMEK Topic
AI Platform Training Data on VM disks Using customer-managed encryption keys
Notebooks Data on VM disks Using customer-managed encryption keys
Vertex AI Data associated with resources Using customer-managed encryption keys
Artifact Registry Data in repositories Enabling customer-managed encryption keys
BigQuery Data in BigQuery Protecting data with Cloud KMS keys
Cloud Bigtable Data at rest Customer-managed encryption keys (CMEK)
Cloud Composer Environment data Using customer-managed encryption keys
Cloud Run Container image Using customer-managed encryption keys with Cloud Run
Compute Engine Data on VM disks Protecting resources with Cloud KMS keys
Google Kubernetes Engine Data on VM disks, application-layer Secrets Using customer-managed encryption keys (CMEK). Application-layer Secrets encryption
Dataflow Pipeline state data Using customer-managed encryption keys
Dataproc Data on VM disks Customer-managed encryption keys
Dialogflow CX All data-at-rest and data-in-use Customer-managed encryption keys (CMEK)
Cloud Logging Logging data Enabling customer-managed encryption keys for Logs Router
Pub/Sub Data associated with topics Configuring message encryption
Cloud Spanner Data at rest Customer-managed encryption keys (CMEK)
Cloud SQL Data written to databases Using customer-managed encryption keys
Cloud Storage Data in storage buckets Using customer-managed encryption keys
Secret Manager Secret payloads Enabling Customer-Managed Encryption Keys (CMEK)

CMEK-compliant services

Service Topic
Cloud Build CMEK compliance in Cloud Build
Container Registry Using a storage bucket protected with CMEK
Cloud Vision CMEK compliance in Vision API

Other integrations with Cloud KMS

These topics discuss other ways to use Cloud KMS with other Google Cloud services.

Product Topic
Any service Encrypt application data before transmitting or storing it
Cloud Build Encrypt resources before adding them to a build