Some products and features are in the process of being renamed. Generative playbook and flow features are also being migrated to a single consolidated console. See the details.

Customer-managed encryption keys (CMEK)

By default, Dialogflow encrypts customer content at rest. Dialogflow handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Dialogflow. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Dialogflow resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Protected data

All Conversational Agents (Dialogflow CX) agent data-at-rest can be protected with CMEKs.

Limitations

Key rotation is supported but data re-encryption is not. That is, re-encrypting previously encrypted data with a new key version is not supported.
The following regions are not supported:
- global
- eu
One key should be used per project location.
In order to restore an agent with CMEK enabled, you must choose the Cloud Storage option.
Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.
Vertex AI Agent Builder has some Cloud KMS Limitations

Create keys

To create keys, you use the KMS service. For instructions, see Creating symmetric keys. When creating or choosing a key, you must configure the following:

Be sure to select the location that you use for your agent, otherwise, requests will fail.

Configure an agent to use your keys

When you create an agent, you can specify the agent location and whether the agent will use a Google-managed or the already configured customer-managed key for that location. Make your selections at this time.

Prerequisites

Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information, see gcloud services identity documentation.
```
gcloud beta services identity create --service=dialogflow.googleapis.com --project=PROJECT_ID
```
The service account will be created. It won't be returned in the create response, but will have the following format:
```
service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com
```

Grant the CCAI CMEK Service account the Cloud KMS CryptoKey Encrypter/Decrypter role to ensure that the service has permissions to encrypt and decrypt with your key.

gcloud kms keys add-iam-policy-binding KMS_KEY_ID \
--project=PROJECT_ID \
--location=LOCATION_ID \
--keyring=KMS_KEY_RING \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Configure a key for Conversational Agents (Dialogflow CX) location

Use the InitializeEncryptionSpec API to configure the key.

You will need to provide the following variables:
- PROJECT_ID: Your Google Cloud project ID.
- LOCATION_ID: The location you chose to enable CMEK in Conversational Agents (Dialogflow CX).
- KMS_KEY_RING: The key ring your KMS key was created in. (The location in the key ring, like projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING, must match the location where you're enabling CMEK.)
- KMS_KEY_ID: The name of your KMS key that will be used to encrypt and decrypt Conversational Agents (Dialogflow CX) data in the selected location.
For example:
```
curl -X POST \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d "{ encryption_spec: { kms_key: 'projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING/cryptoKeys/KMS_KEY_ID' } }" \
    "https://LOCATION_ID-dialogflow.googleapis.com/v2/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec:initialize"
```
You should receive a JSON response similar to the following:
```
{
  "name": "projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"
}
```

Use the GetOperation API to check the long-running operation result.

For example:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://LOCATION_ID-dialogflow.googleapis.com/v2/projects/PROJECT_ID/locations/LOCATION_ID/operations/OPERATION_ID"

Check CMEK settings

Use the GetEncryptionSpec API to check the encryption key configured for a location.

For example:

    curl -X GET \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      "https://LOCATION_ID-dialogflow.googleapis.com/v2/projects/PROJECT_ID/locations/LOCATION_ID/encryptionSpec"

Revoke keys

To revoke Conversational Agents (Dialogflow CX) access to the key, you could disable the KMS key version or remove the service account's Cloud KMS CryptoKey Encrypter/Decrypter role from the KMS key.

After key revocation the encrypted data will become inaccessible to Conversational Agents (Dialogflow CX) and the service will no longer be in an operational state until the key permissions are reinstated.

Agent collaboration

Security settings