[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Use CMEK with Vertex AI RAG Engine\n\n| The [VPC-SC security controls](/vertex-ai/generative-ai/docs/security-controls) and\n| CMEK are supported by Vertex AI RAG Engine. Data residency and AXT security controls aren't\n| supported.\n\nThis page shows you how to enable CMEK to work with\nVertex AI RAG Engine.\n\nOverview\n--------\n\nVertex AI RAG Engine provides robust options for managing how\nyour data at rest is encrypted. By default, all user data within `RagManagedDb`\nis encrypted using a Google-owned and Google-managed encryption key, which is the default\nsetting. This default setting helps you to verify that your data is secure\nwithout requiring any specific configuration.\n\nIf you require more control over your keys used for encryption,\nVertex AI RAG Engine supports [Customer-managed encryption keys\n(CMEK)](/kms/docs/cmek). With CMEK, you can use your\ncryptographic keys, managed within Cloud Key Management Service (KMS), to protect your RAG\ncorpus data.\n\nSet up the encryption key with your RAG corpus\n----------------------------------------------\n\nTo set up an encryption key, follow the steps at [Set up your KMS key and grant permissions](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#set_up_your_kms_key_and_grant_permissions).\n\nCMEK limitations for Vertex AI RAG Engine\n-----------------------------------------\n\nVertex AI RAG Engine supports CMEK with the following limitations:\n\n- Before creating a RAG corpus, you must manually enable the RAG Service account. For detailed instructions, see [Grant Permissions to the Vertex AI RAG Engine service agent](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#grant_permissions_to_the_vertex_ai_rag_engine_service_agent).\n\n- CMEK is only supported on `RagVectorDbConfig` of type `RagManagedDb`.\n\n- The `encryption_spec` field defines the KMS key, and the field is immutable,\n which means that CMEK can't be enabled or disabled after the RAG corpus is\n created.\n\n- No more than 50 unique KMS keys can be used to create RAG corpora per project\n per region.\n\nWhat's next\n-----------\n\n- For information about managing your encryption, see [Manage your\n encryption](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#manage_your_encryption).\n- For more information on Vertex AI RAG Engine, see [Vertex AI RAG Engine\n overview](/vertex-ai/generative-ai/docs/rag-engine/rag-overview).\n- To learn more about data at rest, see [Data\n residency](/vertex-ai/generative-ai/docs/learn/data-residency).\n- To learn more about the RAG API, see [RAG Engine\n API](/vertex-ai/generative-ai/docs/model-reference/rag-api)."]]