Customer-managed encryption keys (CMEK)

By default, Google Cloud automatically encrypts data using encryption keys managed by Google. If you have specific compliance or regulatory requirements related to the keys that protect your data, you can use customer-managed encryption keys (CMEK).

For more information about CMEK, see the CMEK guide in the Cloud Key Management Service (KMS) documentation.

Protected data

All Dialogflow CX agent data-at-rest can be protected with CMEKs.


  • Analytics is disabled for agents with CMEK enabled.
  • Data store agents don't support key rotation. Dialogflow CX agents without data stores do support key rotation whereby new data is encrypted with the new key version. Re-encrypting previously-encrypted data with a new key version is not supported.
  • The global location is not supported.
  • One key should be used per project location.
  • In order to restore an agent with CMEK enabled, you must choose the Cloud Storage option.
  • Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

  • Be sure to select the location that you use for your agent, otherwise, requests will fail.
  • Dialogflow does not support key rotation for data store agents. If you are using an agent of this type, the rotation period must be set to Never when you create the key.

Configure an agent to use your keys

When you create an agent, you can specify the agent location and whether the agent will use a Google-managed or the already configured customer-managed key for that location. Make your selections at this time.

Configure your service account or user account

  1. Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information, see gcloud services identity documentation.

    gcloud beta services identity create --project=PROJECT_ID

    The service account will be created. It won't be returned in the create response, but will have the following format:
  2. Grant the CCAI CMEK Service account the Cloud KMS CryptoKey Encrypter/Decrypter role to ensure that the service has permissions to encrypt and decrypt with your key.

    gcloud kms keys add-iam-policy-binding KMS_KEY_ID \
    --project=PROJECT_ID \
    --location=LOCATION_ID \
    --keyring=KMS_KEY_RING \ \