Customer-managed encryption keys

By default, NotebookLM Enterprise encrypts customer content at rest. NotebookLM Enterprise handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including NotebookLM Enterprise. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you track key usage, view audit logs, and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your NotebookLM Enterprise resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Limitations of Cloud KMS in NotebookLM Enterprise

The following limitations apply to CMEK (Cloud KMS) keys in NotebookLM Enterprise:

  • Keys can't be changed or rotated.

  • Organization policy constraints can't be applied to NotebookLM Enterprise.

  • CMEK-protection with NotebookLM Enterprise is not integrated with Cloud Asset Inventory search.

  • You can't change the encryption settings of notebooks. An unprotected notebook can't later be protected.

  • After a key has been registered, it can't be deregistered or removed from a data store.
  • You must use US or EU multi-region data stores and apps (not global ones). For more information about multi-regions and data residency, including limits associated with using non-global locations, see locations.

  • If you need to register more than one key for a project, contact your Google account team to request a quota increase for CMEK configurations, providing a justification for why you need more than one key.

  • Using external key manager (EKM) with CMEK is in GA with allowlist. To use EKM with CMEK, contact your Google account team.

    The following limitations apply to EKM or HSM with CMEK:

    • Your EKM and HSM quota for encrypt and decrypt calls should have at least 1,000 QPM of headroom. For how to check your quotas, see Check your Cloud KMS quotas.

    • If using EKM, the key must be reachable for more than 90% of any time window of longer than 30 seconds. If the key isn't reachable for this amount of time, it can negatively impact indexing and search freshness.

    • If there are billing issues, persistent out-of-quota issues, or persistent unreachability issues for more than 12 hours, the service automatically turns down the CmekConfig associated with the EKM or HSM key.

  • You can't use Terraform to configure CMEK for NotebookLM Enterprise.

Before you begin

Make sure you satisfy the following prerequisites:

  • Create a multi-region symmetric Cloud KMS key. See Create a key ring and Create a key in the Cloud KMS documentation.

    • Set the rotation period to Never (Manual rotation).

    • For Location, select Multi-region, and select europe or us from the drop-down.

  • The CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the key has been granted to the Discovery Engine service agent. The service agent account has an email address that uses the following format: service-PROJECT_NUMBER@gcp-sa-discoveryengine.iam.gserviceaccount.com. For general instructions on how to add a role to a service agent, see Grant or revoke a single role.

  • The CryptoKey Encrypter/Decrypter IAM role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the key has been granted to the Cloud Storage service agent. If this role is not granted, data import for CMEK-protected data stores will fail because Discovery Engine is not able to make the CMEK-protected, temporary bucket and directory that is required for importing.

  • Don't create any data stores or apps that you want managed by your key until after you have completed the key registration instructions on this page.

Register your Cloud KMS key

To encrypt data using CMEK, you must register your multi-region key. Optionally, if your data needs single-region keys, for example, when using third-party connectors, you need to register your single-region keys.

REST

To register your own key for NotebookLM Enterprise, follow these steps:

  1. Call the UpdateCmekConfig method with the key that you want to register.

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{"kmsKey":"projects/KMS_PROJECT_ID/locations/KMS_LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME"}' \
"https://LOCATION-discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/cmekConfigs/CMEK_CONFIG_ID?set_default=SET_DEFAULT"

    Replace the following:

    • KMS_PROJECT_ID: the ID of your project that contains the key. The project number won't work.
    • KMS_LOCATION: the multi-region of your key: us or europe.
    • KEY_RING: the name of the key ring that holds the key.
    • KEY_NAME: the name of the key.
    • PROJECT_ID: the ID of your project that contains the data store.
    • LOCATION: the multi-region of your data store: us or eu.
    • CMEK_CONFIG_ID: set a unique ID for the CmekConfig resource, for example, default_cmek_config.
    • SET_DEFAULT: set to true to use the key as the default key for subsequent data stores created in the multi-region.

  2. Optional: Record the name value returned by the method and follow the instructions in Get details about a long-running operation to see when the operation is complete.

    It typically takes a few minutes to register a key.

Console

Before you begin

Make sure that the region isn't already protected by a key. The following procedure fails if a key is already registered for the region through the REST command.

To determine if there is an active key in NotebookLM Enterprise for a location, see View Cloud KMS keys.

Procedure

To register your own key for NotebookLM Enterprise, follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. Click Settings, and select the CMEK tab.

  3. Click Add key for the us or eu location.

    Click add key for a location.
    Click add key.

    1. Click the Select a Cloud KMS key drop-down, and select the key.

      • If the key is in a different project, click Switch project, click your project name, type the name of the key you created, and select the key.

      • If you know the resource name of the key, click Enter manually, paste the key resource name, and click Save.

    2. Click OK > Save.

This registers your key, creating a CmekResource called default_cmek_config.

It can take several hours for the ingested data to show up in search results.

Unregister your Cloud KMS key

To unregister your key from NotebookLM Enterprise, follow these steps:

  1. Call the DeleteCmekConfig method with the CmekConfig resource name that you want to unregister.

    curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://LOCATION-discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/cmekConfigs/CMEK_CONFIG_ID"

    Replace the following:

    • LOCATION: the multi-region of your data store: us or eu.
    • PROJECT_ID: the ID of your project that contains the data store.
    • CMEK_CONFIG_ID: the ID of the CmekConfig resource. If you registered your key using the console, the ID is default_cmek_config.

    An example curl call and response looks like this: 

    $ curl -X DELETE
-H "Authorization: Bearer $(gcloud auth print-access-token)"
"https://us-discoveryengine.googleapis.com/v1/projects/my-ai-app-project-123/locations/us/cmekConfigs/default_cmek_config"
 
{
 "name": "projects/my-ai-app-project-123/locations/us/operations/delete-cmek-config-56789",
 "metadata": {
  "@type": "type.googleapis.com/google.cloud.discoveryengine.v1.DeleteCmekConfigMetadata"
 }
}

  2. Optional: Record the name value returned by the method and follow the instructions in Get details about a long-running operation to see when the operation is complete.

    It typically takes a few minutes to delete a key.

Verify that NotebookLM Enterprise is protected by a key

If you want to confirm that NotebookLM is protected by your key, follow these steps:

  1. Call the ListCmekConfigs method:

      curl -X GET \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://LOCATION-discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/cmekConfigs"

    Replace the following:

    • LOCATION: the multi-region of your data store: us or eu.
    • PROJECT_ID: the ID of your Google Cloud project that contains the data.

  2. Review the output from the command. The CmekConfig is ready for use if all of the following are in the output:

    • "state": "ACTIVE"
    • "isDefault": true
    • "notebooklmState": NOTEBOOK_LM_READY

If a Cloud KMS key is disabled or revoked

If a key is disabled or permissions for the key are revoked, the data store stops ingesting data and stops serving data within 15 minutes. However, re-enabling a key or restoring permissions takes a long time. It can take up to 24 hours before the data store can resume serving data.

Therefore, don't disable a key unless necessary. Disabling and enabling a key on a data store is a time-consuming operation. For example, repeatedly switching a key between disabled and enabled means it will take a long time for the data store to reach a protected state. Disabling a key and re-enabling it immediately afterward could result in days of downtime because the key is first disabled from the data store and subsequently re-enabled.