이 페이지에서는 Vertex AI RAG Engine과 함께 작동하도록 CMEK를 사용 설정하는 방법을 보여줍니다.
개요
Vertex AI RAG Engine은 저장 데이터가 암호화되는 방식을 관리하는 강력한 옵션을 제공합니다. 기본적으로 RagManagedDb 내의 모든 사용자 데이터는 기본 설정인 Google-owned and Google-managed encryption key를 사용하여 암호화됩니다. 이 기본 설정을 사용하면 특정 구성을 요구하지 않고도 데이터가 안전한지 확인할 수 있습니다.
암호화에 사용되는 키를 더 세부적으로 제어해야 하는 경우 Vertex AI RAG Engine은 고객 관리 암호화 키(CMEK)를 지원합니다. CMEK를 사용하면 Cloud Key Management Service (KMS) 내에서 관리되는 암호화 키를 사용하여 RAG 코퍼스 데이터를 보호할 수 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Use CMEK with Vertex AI RAG Engine\n\n| The [VPC-SC security controls](/vertex-ai/generative-ai/docs/security-controls) and\n| CMEK are supported by Vertex AI RAG Engine. Data residency and AXT security controls aren't\n| supported.\n\nThis page shows you how to enable CMEK to work with\nVertex AI RAG Engine.\n\nOverview\n--------\n\nVertex AI RAG Engine provides robust options for managing how\nyour data at rest is encrypted. By default, all user data within `RagManagedDb`\nis encrypted using a Google-owned and Google-managed encryption key, which is the default\nsetting. This default setting helps you to verify that your data is secure\nwithout requiring any specific configuration.\n\nIf you require more control over your keys used for encryption,\nVertex AI RAG Engine supports [Customer-managed encryption keys\n(CMEK)](/kms/docs/cmek). With CMEK, you can use your\ncryptographic keys, managed within Cloud Key Management Service (KMS), to protect your RAG\ncorpus data.\n\nSet up the encryption key with your RAG corpus\n----------------------------------------------\n\nTo set up an encryption key, follow the steps at [Set up your KMS key and grant permissions](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#set_up_your_kms_key_and_grant_permissions).\n\nCMEK limitations for Vertex AI RAG Engine\n-----------------------------------------\n\nVertex AI RAG Engine supports CMEK with the following limitations:\n\n- Before creating a RAG corpus, you must manually enable the RAG Service account. For detailed instructions, see [Grant Permissions to the Vertex AI RAG Engine service agent](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#grant_permissions_to_the_vertex_ai_rag_engine_service_agent).\n\n- CMEK is only supported on `RagVectorDbConfig` of type `RagManagedDb`.\n\n- The `encryption_spec` field defines the KMS key, and the field is immutable,\n which means that CMEK can't be enabled or disabled after the RAG corpus is\n created.\n\n- No more than 50 unique KMS keys can be used to create RAG corpora per project\n per region.\n\nWhat's next\n-----------\n\n- For information about managing your encryption, see [Manage your\n encryption](/vertex-ai/generative-ai/docs/rag-engine/use-ragmanageddb-with-rag#manage_your_encryption).\n- For more information on Vertex AI RAG Engine, see [Vertex AI RAG Engine\n overview](/vertex-ai/generative-ai/docs/rag-engine/rag-overview).\n- To learn more about data at rest, see [Data\n residency](/vertex-ai/generative-ai/docs/learn/data-residency).\n- To learn more about the RAG API, see [RAG Engine\n API](/vertex-ai/generative-ai/docs/model-reference/rag-api)."]]