See the supported connectors for Application Integration.

Customer-managed encryption keys

By default, Application Integration automatically encrypts data when it is at rest using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, or if you want to control and manage encryption yourself, you can use customer-managed encryption keys (CMEK). CMEK keys can be stored as software keys, in a HSM cluster, or externally in Cloud External Key Manager (Cloud EKM).

For more information about CMEK, see the Cloud Key Management Service documentation.

Before you begin

Ensure that the following tasks are completed before using CMEK for Application Integration:

  1. Enable the Cloud KMS API for the project that will store your encryption keys.

    Enable Cloud KMS API

  2. Assign the Cloud KMS Admin IAM role or grant the following IAM permissions for the project that will store your encryption keys:
    • cloudkms.cryptoKeys.setIamPolicy
    • cloudkms.keyRings.create
    • cloudkms.cryptoKeys.create

    For information about granting additional roles or permissions, see Granting, changing, and revoking access.

  3. Create a key ring and a key.

Add service account to CMEK key

In order to use a CMEK key in Application Integration, you must ensure that your default service account is added and assigned with the CryptoKey Encrypter/Decrypter IAM role for that CMEK key.

  1. In the Google Cloud console, go to the Key Inventory page.

    Go to Key Inventory page

  2. Select the checkbox for the desired CMEK key.

    The Permissions tab in the right window pane becomes available.

  3. Click Add principal, and enter the email address of the default service account.
  4. Click Select a role and select the Cloud KMS CryptoKey Encrypter/Decrypter role from the available dropdown list.
  5. Click Save.

Enable CMEK encryption for an Application Integration region

CMEK can be used to encrypt and decrypt data stored on PDs within the scope of the provisioned region.

To enable CMEK encryption for an Application Integration region in your Google Cloud project, perform the following steps:
  1. In the Google Cloud console, go to the Application Integration page.

    Go to Application Integration

  2. In the navigation menu, click Regions.

    The Regions page appears, listing the provisioned regions for Application Integration.

  3. For the existing integration that you want to use CMEK, click Actions and select Edit encryption.
  4. In the Edit encryption pane, expand the Advanced settings section.
  5. Select Use a Customer-managed encryption key (CMEK), and do the following:
    1. Select a CMEK key from the available drop-down list. The CMEK keys listed in the drop-down are based on the provisioned region. To create a new key, see Create new CMEK key.
    2. Click Verify to check if your default service account has cryptokey access to the selected CMEK key.
    3. If the verification for the selected CMEK key fails, click Grant to assign the CryptoKey Encrypter/Decrypter IAM role to the default service account.
  6. Click Done.

Create new CMEK key

You can create a new CMEK key if you don't want to use your existing key, or if you don't have a key in the specified region.

To create a new symmetric encryption key, perform the following steps in the Create a new key dialog:
  1. Select Key ring:
    1. Click Key ring and choose an existing key ring in the specified region.
    2. If you want to create a new key ring for your key, click the Create key ring toggle and do the following steps:
      1. Click Key ring name and enter a name of your key ring.
      2. Click Key ring location and choose the regional location of your key ring.
    3. Click Continue.
  2. Create Key:
    1. Click Key name and enter a name for your new key.
    2. Click Protection level and select either Software or HSM.

      For information about protection levels, see Cloud KMS protection levels.

  3. Review your key and key ring details, and click Continue.
  4. Click Create.

Cloud KMS quotas and Application Integration

When you use CMEK in Application Integration, your projects can consume Cloud KMS cryptographic requests quotas. For example, CMEK keys can consume these quotas for each encryption and decryption call.

Encryption and decryption operations using CMEK keys affect Cloud KMS quotas in these ways:

  • For software CMEK keys generated in Cloud KMS, no Cloud KMS quota is consumed.
  • For hardware CMEK keys—sometimes called Cloud HSM keys—encryption and decryption operations count against Cloud HSM quotas in the project that contains the key.
  • For external CMEK keys—sometimes called Cloud EKM keys—encryption and decryption operations count against Cloud EKM quotas in the project that contains the key.

For more information, see Cloud KMS quotas.