By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google.
Vision API has two batch asynchronous annotation requests: AsyncBatchAnnotateImages and AsyncBatchAnnotateFiles. These methods store your data on disk internally during processing (see the Data Usage FAQ for more information). The rest of this topic describes CMEK compliance in Vision API, and how this temporary data is protected at rest. For more information about CMEK in general, see the Cloud Key Management Service documentation about CMEK.
How CMEK compliance works in Vision API
In Vision API, batch annotation request methods are either synchronous or asynchronous.
Synchronous Vision API methods don't persist data to disk and thus are automatically CMEK-compliant, with no configuration required:
Asynchronous Vision API methods do persist data to disk temporarily (see Data Usage FAQ). These methods are automatically CMEK-compliant, with no configuration required:
Before Vision API writes data to disk, the data is automatically encrypted using an ephemeral key called a data-encryption key (DEK). A new DEK is automatically generated for each asynchronous annotation request.
The DEK itself is encrypted by another key called the key encryption key (KEK). The KEK is not accessible to Google engineers or support staff.
When the ephemeral key (DEK) that was used to encrypt its temporary data is destroyed, the temporary data can no longer be accessed, even if the data hasn't been deleted yet.
Vision API writes the results of a batch annotation request to your Cloud Storage bucket, which also has support for CMEK. It is recommended to set up a default encryption key on your input and output buckets.
For more information about data usage in Vision API, see the Data Usage FAQ.