By default, Google Cloud automatically encrypts data when it is at rest by using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for your resources.
For information about the specific benefits of using CMEK with Speech-to-Text resources, see Understand CMEK for Speech-to-Text resources. For more information about CMEK in general, including when and why to enable it, see Customer-managed encryption keys.
Understand CMEK for Speech-to-Text resources
The following conditions are true when a new key is set by using the Speech-to-Text API:
- Resources previously encrypted with the original key remain encrypted with
that earlier key. If a resource is updated (using an
Update*
method), it is reencrypted with the new key. - Previously non-CMEK encrypted resources remain unencrypted. If a resource is
updated (using an
Update*
method), it is then reencrypted with the new key. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation is reencrypted with the new key. - Newly created resources are encrypted with the newly set key.
When you remove a key by using the Speech-to-Text API, new resources
are created without CMEK encryption. Existing resources remain encrypted
with the keys with which they were previously encrypted. If a resource is
updated (using an Update*
method), it is reencrypted using the default
encryption managed by Google. For long-running operations (like
batch recognition), if processing is ongoing and not
finished, the stored operation will be re-encrypted using the default encryption
managed by Google.
The location of the Cloud KMS key used for encrypting Speech-to-Text resources must match the Speech-to-Text endpoint used. For more information about Speech-to-Text locations, see Speech-to-Text locations. For more information about Cloud KMS locations, see Cloud KMS locations.
CMEK-supported resources
The following are current Speech-to-Text resources covered by CMEK:
Resource | Material encrypted | Documentation links |
---|---|---|
Recognizer |
|
|
PhraseSet |
|
|
CustomClass |
|
|
Operation |
|
|
Batch recognition artifacts |
|