Stay organized with collections
Save and categorize content based on your preferences.
By default, Conversational Insights encrypts customer content at
rest. Insights handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
Insights. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you view audit logs and control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Insights resources is similar to using Google default encryption.
For more information about your encryption
options, see Customer-managed encryption keys (CMEK).
Protected data
All Insights at-rest data in a supported location can be protected with CMEKs.
Supported Locations
CMEK is available in all Insights locations except global.
Limitations
For features involving data egress to customer-owned instances of another Google Cloud product, configure CMEK in the corresponding Google Cloud products.
Export conversation to BigQuery: enable CMEK on BigQuery table BigQuery
Create keys
To create keys, you use the KMS service.
For instructions, see
Creating symmetric keys.
When creating or choosing a key,
you must configure the following:
Be sure to select the
location
that you use for your Insights data, otherwise, requests will fail.
Enable CMEK in Insights
Before you create any Insights data in a specific location,
you can specify whether the data in this location will be protected by
a customer-managed key (i.e. enable CMEK). Configure your key at this time.
Grant the CCAI CMEK service agent the
Cloud KMS CryptoKey Encrypter/Decrypter
role for your encryption key to ensure that the service agent will have
permissions to encrypt and decrypt with your key. The email address for
the service agent is:
Use InitializeEncryptionSpec API to configure the key.
You will need to provide the following variables:
PROJECT_ID: your Google Cloud project ID
LOCATION_ID: the location you chose to enable CMEK in Insights.
KMS_KEY_NAME: the name of your KMS key that will be used to encrypt or decrypt Insights data in the selected location.
The location in the KMS key name (e.g. projects/<project_id>/locations/<location_id>/keyRings/<key_ring>/cryptoKeys/<key_name>)
has to match the selected location that you want to enable CMEK.
You need to grant the access to this key in prerequisites step 2.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eConversational Insights uses Google default encryption to automatically encrypt customer content at rest, requiring no additional user actions.\u003c/p\u003e\n"],["\u003cp\u003eUsers can opt to use customer-managed encryption keys (CMEKs) via Cloud KMS, which offers control over key protection, location, rotation, access, and lifecycle management.\u003c/p\u003e\n"],["\u003cp\u003eCMEK must be configured before creating any Insights data in a specific location, as the encryption key settings cannot be changed afterward.\u003c/p\u003e\n"],["\u003cp\u003eTo enable CMEK, users must create an Insights service account, grant it the Cloud KMS CryptoKey Encrypter/Decrypter role, and use the InitializeEncryptionSpec API with the appropriate project ID, location ID, and KMS key name.\u003c/p\u003e\n"],["\u003cp\u003eRevoking the Insights key will cause loss of data if access is revoked for more than 30 days.\u003c/p\u003e\n"]]],[],null,["# Customer-managed encryption keys (CMEK)\n\nBy default, Conversational Insights encrypts customer content at\nrest. Insights handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nInsights. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nInsights resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\nProtected data\n--------------\n\nAll Insights [at-rest](https://en.wikipedia.org/wiki/Data_at_rest) data in a supported location can be protected with CMEKs.\n\nSupported Locations\n-------------------\n\nCMEK is available in all Insights [locations](/contact-center/insights/docs/regionalization#available_regions) except `global`.\n\nLimitations\n-----------\n\nFor features involving data egress to customer-owned instances of another Google Cloud product, configure CMEK in the corresponding Google Cloud products.\n\n- Upload audio with transcription: enable CMEK in [Cloud Speech-to-Text](/speech-to-text/v2/docs/encryption#cmek-supported_resources)\n- Export conversation to BigQuery: enable CMEK on BigQuery table [BigQuery](/bigquery/docs/customer-managed-encryption)\n\nCreate keys\n-----------\n\nTo create keys, you use the KMS service.\nFor instructions, see\n[Creating symmetric keys](/kms/docs/creating-keys).\nWhen creating or choosing a key,\nyou must configure the following:\n\n- Be sure to select the [location](/contact-center/insights/docs/regionalization#available_regions) that you use for your Insights data, otherwise, requests will fail.\n\nEnable CMEK in Insights\n-----------------------\n\nBefore you create any Insights data in a specific location,\nyou can specify whether the data in this location will be protected by\na customer-managed key (i.e. enable CMEK). Configure your key at this time.\n| **Warning:** You **cannot change** encryption key settings for a location after that location has been enabled for CMEK. If you already have Conversational Insights data for a Google Cloud project, then you cannot configure a customer-managed key for that project.\n\n### Prerequisites\n\n1. Create an Insights service account for your project with Google Cloud. For more information,\n see [Google Cloud services identity documentation](https://cloud.google.com/sdk/gcloud/reference/beta/services/identity/create).\n\n gcloud beta services identity create --service=contactcenterinsights.googleapis.com --project=PROJECT_ID\n\n2. Grant the CCAI CMEK service agent the\n [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter)\n role for your encryption key to ensure that the service agent will have\n permissions to encrypt and decrypt with your key. The email address for\n the service agent is:\n\n service-\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@gcp-sa-ccai-cmek.iam.gserviceaccount.com\n\n \u003cbr /\u003e\n\n### Configure a key for an Insights location\n\n1. Use InitializeEncryptionSpec API to configure the key.\n\n You will need to provide the following variables:\n - `PROJECT_ID`: your Google Cloud project ID\n - `LOCATION_ID`: the location you chose to enable CMEK in Insights.\n - `KMS_KEY_NAME`: the name of your KMS key that will be used to encrypt or decrypt Insights data in the selected location.\n - The location in the KMS key name (e.g. `projects/\u003cproject_id\u003e/locations/\u003clocation_id\u003e/keyRings/\u003ckey_ring\u003e/cryptoKeys/\u003ckey_name\u003e`) has to match the selected location that you want to enable CMEK.\n - You need to grant the access to this key in [prerequisites](/contact-center/insights/docs/cmek#prerequisites) step 2.\n\n For example: \n\n curl -X POST \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json; charset=utf-8\" \\\n -d '{ encryption_spec: { kms_key: \"KMS_KEY_NAME\" } }' \\\n \"https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize\"\n\n You should receive a JSON response similar to the following: \n\n {\n \"name\": \"projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID\"\n }\n\n2. Use GetOperation API to check the long-running operation result.\n\n For example: \n\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\ \n \"https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID\"\n\nCheck CMEK Settings\n-------------------\n\nUse GetEncryptionSpec API to check the encryption key configured for a location.\n\nFor example: \n\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://contactcenterinsights.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec\"\n\nRevoke keys\n-----------\n\nTo revoke Insights access to the key, you could [disable the KMS key version](/kms/docs/iam#revoking_access_to_a_resource) or [remove](/kms/docs/iam#revoking_access_to_a_resource) the service account's [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter) role from the KMS key.\n| **Warning:** If you have revoked the key for more than 30 days, the Insights data encrypted by that key will be lost."]]
