Encryption

By default, Google Cloud automatically encrypts data when it is at rest by using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK) for your resources.

For information about the specific benefits of using CMEK with Speech-to-Text resources, see Understand CMEK for Speech-to-Text resources. For more information about CMEK in general, including when and why to enable it, see Customer-managed encryption keys.

Understand CMEK for Speech-to-Text resources

The following conditions are true when a new key is set by using the Speech-to-Text API:

Resources previously encrypted with the original key remain encrypted with that earlier key. If a resource is updated (using an Update* method), it is reencrypted with the new key.
Previously non-CMEK encrypted resources remain unencrypted. If a resource is updated (using an Update* method), it is then reencrypted with the new key. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation is reencrypted with the new key.
Newly created resources are encrypted with the newly set key.

When you remove a key by using the Speech-to-Text API, new resources are created without CMEK encryption. Existing resources remain encrypted with the keys with which they were previously encrypted. If a resource is updated (using an Update* method), it is reencrypted using the default encryption managed by Google. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation will be re-encrypted using the default encryption managed by Google.

The location of the Cloud KMS key used for encrypting Speech-to-Text resources must match the Speech-to-Text endpoint used. For more information about Speech-to-Text locations, see Speech-to-Text locations. For more information about Cloud KMS locations, see Cloud KMS locations.

CMEK-supported resources

The following are current Speech-to-Text resources covered by CMEK:

Resource	Material encrypted	Documentation links
Recognizer	The language code in the recognition configuration. Inline and reference adaptation resources.	Recognizers Adaptation
PhraseSet	Phrases in the phrase set.	Adaptation
CustomClass	Class items in the custom class.	Adaptation
Operation	The original request that spawned the operation. The response from the method that spawned the operation.	Recognizers Adaptation Operations
Batch recognition artifacts	Adaptation resources used during transcription. The accumulated transcript results. Audio artifacts required for transcription.	Batch recognition

What's next

Learn how to use encryption with Speech-to-Text.