Encryption

By default, Google Cloud automatically encrypts data when it is at rest by using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for your resources.

For information about the specific benefits of using CMEK with Speech-to-Text resources, see Understand CMEK for Speech-to-Text resources. For more information about CMEK in general, including when and why to enable it, see Customer-managed encryption keys.

Understand CMEK for Speech-to-Text resources

The following conditions are true when a new key is set by using the Speech-to-Text API:

  • Resources previously encrypted with the original key remain encrypted with that earlier key. If a resource is updated (using an Update* method), it is reencrypted with the new key.
  • Previously non-CMEK encrypted resources remain unencrypted. If a resource is updated (using an Update* method), it is then reencrypted with the new key. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation is reencrypted with the new key.
  • Newly created resources are encrypted with the newly set key.

When you remove a key by using the Speech-to-Text API, new resources are created without CMEK encryption. Existing resources remain encrypted with the keys with which they were previously encrypted. If a resource is updated (using an Update* method), it is reencrypted using the default encryption managed by Google. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation will be re-encrypted using the default encryption managed by Google.

The location of the Cloud KMS key used for encrypting Speech-to-Text resources must match the Speech-to-Text endpoint used. For more information about Speech-to-Text locations, see Speech-to-Text locations. For more information about Cloud KMS locations, see Cloud KMS locations.

CMEK-supported resources

The following are current Speech-to-Text resources covered by CMEK:

Resource Material encrypted Documentation links
Recognizer
  • The language code in the recognition configuration.
  • Inline and reference adaptation resources.
PhraseSet
  • Phrases in the phrase set.
CustomClass
  • Class items in the custom class.
Operation
  • The original request that spawned the operation.
  • The response from the method that spawned the operation.
Batch recognition artifacts
  • Adaptation resources used during transcription.
  • The accumulated transcript results.
  • Audio artifacts required for transcription.

What's next