See the supported connectors for Application Integration.

Customer-managed encryption keys

By default, Application Integration encrypts customer content at rest. Application Integration handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Application Integration. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Application Integration resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Before you begin

Ensure that the following tasks are completed before using CMEK for Application Integration:

1. Enable the Cloud KMS API for the project that will store your encryption keys.

   Enable Cloud KMS API

2. Assign the Cloud KMS Admin IAM role or grant the following IAM permissions for the project that will store your encryption keys:
   • cloudkms.cryptoKeys.setIamPolicy
   • cloudkms.keyRings.create
   • cloudkms.cryptoKeys.create

   For information about granting additional roles or permissions, see Granting, changing, and revoking access.

3. Create a key ring and a key.

Add service account to CMEK key

In order to use a CMEK key in Application Integration, you must ensure that your default service account is added and assigned with the CryptoKey Encrypter/Decrypter IAM role for that CMEK key.

1. In the Google Cloud console, go to the Key Inventory page.

   Go to Key Inventory page

2. Select the checkbox for the desired CMEK key.

   The Permissions tab in the right window pane becomes available.

3. Click Add principal, and enter the email address of the default service account.
4. Click Select a role and select the Cloud KMS CryptoKey Encrypter/Decrypter role from the available dropdown list.
5. Click Save.

Enable CMEK encryption for an Application Integration region

CMEK can be used to encrypt and decrypt data stored on PDs within the scope of the provisioned region.

To enable CMEK encryption for an Application Integration region in your Google Cloud project, perform the following steps:

1. In the Google Cloud console, go to the Application Integration page.

   Go to Application Integration

2. In the navigation menu, click Regions.

   The Regions page appears, listing the provisioned regions for Application Integration.

3. For the existing integration that you want to use CMEK, click more_vert Actions and select Edit encryption.
4. In the Edit encryption pane, expand the Advanced settings section.
5. Select Use a Customer-managed encryption key (CMEK), and do the following:
   1. Select a CMEK key from the available drop-down list. The CMEK keys listed in the drop-down are based on the provisioned region. To create a new key, see Create new CMEK key.
   2. Click Verify to check if your default service account has cryptokey access to the selected CMEK key.
   3. If the verification for the selected CMEK key fails, click Grant to assign the CryptoKey Encrypter/Decrypter IAM role to the default service account.
6. Click Done.

Create new CMEK

You can create a new CMEK key if you don't want to use your existing key, or if you don't have a key in the specified region.

To create a new symmetric encryption key, perform the following steps in the Create a new key dialog:

1. Select Key ring:
   1. Click Key ring and choose an existing key ring in the specified region.
   2. If you want to create a new key ring for your key, click the Create key ring toggle and do the following steps:
      1. Click Key ring name and enter a name of your key ring.
      2. Click Key ring location and choose the regional location of your key ring.
   3. Click Continue.
2. Create Key:
   1. Click Key name and enter a name for your new key.
   2. Click Protection level and select either Software or HSM.

      For information about protection levels, see Cloud KMS protection levels.

3. Review your key and key ring details, and click Continue.
4. Click Create.

Encrypted data

The following table lists the data encrypted in Application Integration:

Resource	Encrypted data
Integration details	Task configuration parameters Task configuration descriptions
Integration execution information	Request parameters Response parameters Task execution details
Authentication profile credentials	Username and passwords API keys OAuth 2.0 authorization code OAuth 2.0 client credentials OAuth 2.0 resource owner password credentials Auth tokens JWT tokens Service accounts SSL/TLS client certificates Google OIDC ID tokens
Approval/Suspension task details	Approval or suspension configurations

Cloud KMS quotas and Application Integration

When you use CMEK in Application Integration, your projects can consume Cloud KMS cryptographic requests quotas. For example, CMEK keys can consume these quotas for each encryption and decryption call.

Encryption and decryption operations using CMEK keys affect Cloud KMS quotas in these ways:

• For software CMEK keys generated in Cloud KMS, no Cloud KMS quota is consumed.
• For hardware CMEK keys—sometimes called Cloud HSM keys—encryption and decryption operations count against Cloud HSM quotas in the project that contains the key.
• For external CMEK keys—sometimes called Cloud EKM keys—encryption and decryption operations count against Cloud EKM quotas in the project that contains the key.

For more information, see Cloud KMS quotas.