Some products and features are in the process of being renamed. Generative playbook and flow features are also being migrated to a single consolidated console. See the details.
Stay organized with collections
Save and categorize content based on your preferences.
By default, Dialogflow encrypts customer content at
rest. Dialogflow handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
Google default
encryption uses the same hardened key management systems that we use for our
own encrypted data. These systems include strict key access controls and
auditing.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
Dialogflow. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you view audit logs and control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Dialogflow resources is similar to using Google default encryption.
For more information about your encryption
options, see Customer-managed encryption keys (CMEK).
Protected data
All Conversational Agents (Dialogflow CX) agent
data-at-rest
can be protected with CMEKs.
Limitations
Key rotation is supported but data re-encryption is not. That is, re-encrypting previously encrypted data with a new key version is not
supported.
In order to
restore an agent
with CMEK enabled,
you must choose the Cloud Storage option.
Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.
To create keys, you use the KMS service.
For instructions, see
Creating symmetric keys.
When creating or choosing a key,
you must configure the following:
Be sure to select the
location
that you use for your agent,
otherwise, requests will fail.
Configure an agent to use your keys
When you create an agent,
you can specify the agent
location and whether the agent will use a
Google-managed or the already configured customer-managed key for that location.
Make your selections at this time.
Grant the CCAI CMEK Service account the Cloud KMS CryptoKey Encrypter/Decrypter role to ensure that the service has permissions to encrypt and decrypt with your key.
Configure a key for Conversational Agents (Dialogflow CX) location
Use the InitializeEncryptionSpec API to configure the key.
You will need to provide the following variables:
PROJECT_ID: Your Google Cloud project ID.
LOCATION_ID: The location you chose to enable CMEK in Conversational Agents (Dialogflow CX).
KMS_KEY_RING: The key ring your KMS key was created in. (The location in the key ring, like projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING, must match the location where you're enabling CMEK.)
KMS_KEY_ID: The name of your KMS key that will be used to encrypt and decrypt Conversational Agents (Dialogflow CX) data in the selected location.
After key revocation the encrypted data will become inaccessible to Conversational Agents (Dialogflow CX) and the service will no longer be in an operational state until the key permissions are reinstated.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eDialogflow encrypts customer content at rest by default using Google default encryption, which includes strict key access controls and auditing.\u003c/p\u003e\n"],["\u003cp\u003eCustomers can opt to use customer-managed encryption keys (CMEKs) through Cloud KMS, allowing control over key protection level, location, rotation, usage, access, and cryptographic boundaries.\u003c/p\u003e\n"],["\u003cp\u003eOnce CMEKs are set up, the experience of accessing Dialogflow resources is similar to using Google default encryption, but you manage and control the key encryption keys.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring an agent to use CMEKs is done during agent creation, and the encryption key settings for a location cannot be changed once specified.\u003c/p\u003e\n"],["\u003cp\u003eTo revoke Conversational Agents' access to the key you can disable the KMS key version or remove the service account's permissions, however, data may be lost if the key is revoked for more than 30 days.\u003c/p\u003e\n"]]],[],null,["# Customer-managed encryption keys (CMEK)\n\nBy default, Dialogflow encrypts customer content at\nrest. Dialogflow handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\nGoogle default\nencryption uses the same hardened key management systems that we use for our\nown encrypted data. These systems include strict key access controls and\nauditing.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nDialogflow. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nDialogflow resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\nProtected data\n--------------\n\nAll Conversational Agents (Dialogflow CX) agent\n[data-at-rest](https://en.wikipedia.org/wiki/Data_at_rest)\ncan be protected with CMEKs.\n\nLimitations\n-----------\n\n- Key rotation is supported but data re-encryption is not. That is, re-encrypting previously encrypted data with a new key version is not supported.\n- The following [regions](/dialogflow/cx/docs/concept/region#avail) are not supported:\n - `global`\n- One key should be used per project location.\n- In order to [restore an agent](/dialogflow/cx/docs/concept/agent#export) with CMEK enabled, you must choose the Cloud Storage option.\n- Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.\n- [AI Applications](/generative-ai-app-builder/docs/introduction) has some [Cloud KMS Limitations](/generative-ai-app-builder/docs/cmek#limitations)\n\nCreate keys\n-----------\n\nTo create keys, you use the KMS service.\nFor instructions, see\n[Creating symmetric keys](/kms/docs/creating-keys).\nWhen creating or choosing a key,\nyou must configure the following:\n\n- Be sure to select the [location](/dialogflow/cx/docs/how/region) that you use for your agent, otherwise, requests will fail.\n\nConfigure an agent to use your keys\n-----------------------------------\n\nWhen you create an agent,\nyou can specify the agent\n[location](/dialogflow/cx/docs/how/region) and whether the agent will use a\nGoogle-managed or the already configured customer-managed key for that location.\nMake your selections at this time.\n| **Warning:** You cannot change encryption key settings for a location once it has been specified. In order to change a location, you must create a new project with the selected location and [import](/dialogflow/cx/docs/concept/agent#export) existing agents to the new project.\n\n### Prerequisites\n\n| **Note:** CCAI CMEK Service account is not visible in your project IAM.\n\n1. Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information,\n see [gcloud services identity documentation](https://cloud.google.com/sdk/gcloud/reference/beta/services/identity/create).\n\n ```bash\n gcloud beta services identity create --service=dialogflow.googleapis.com --project=PROJECT_ID\n ```\n\n The service account will be created. It won't be returned in the create response, but will have the following format: \n\n ```bash\n service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com\n ```\n2. Grant the CCAI CMEK Service account the [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter) role to ensure that the service has permissions to encrypt and decrypt with your key.\n\n ```bash\n gcloud kms keys add-iam-policy-binding KMS_KEY_ID \\\n --project=PROJECT_ID \\\n --location=LOCATION_ID \\\n --keyring=KMS_KEY_RING \\\n --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com \\\n --role=roles/cloudkms.cryptoKeyEncrypterDecrypter\n ```\n\n### Configure a key for Conversational Agents (Dialogflow CX) location\n\n1. Use the `InitializeEncryptionSpec` API to configure the key.\n\n You will need to provide the following variables:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e: The location you chose to enable CMEK in Conversational Agents (Dialogflow CX).\n - \u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e: The key ring your KMS key was created in. (The location in the key ring, like `projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e`/keyRings/`\u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e, must match the location where you're enabling CMEK.)\n - \u003cvar translate=\"no\"\u003eKMS_KEY_ID\u003c/var\u003e: The name of your KMS key that will be used to encrypt and decrypt Conversational Agents (Dialogflow CX) data in the selected location.\n\n For example: \n\n ```bash\n curl -X POST \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json; charset=utf-8\" \\\n -d \"{ encryption_spec: { kms_key: 'projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/keyRings/\u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e/cryptoKeys/\u003cvar translate=\"no\"\u003eKMS_KEY_ID\u003c/var\u003e' } }\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/encryptionSpec:initialize\"\n ```\n\n You should receive a JSON response similar to the following: \n\n ```json\n {\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/operations/\u003cvar translate=\"no\"\u003eOPERATION_ID\u003c/var\u003e\"\n }\n ```\n2. Use the `GetOperation` API to check the long-running operation result.\n\n For example: \n\n ```bash\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/operations/\u003cvar translate=\"no\"\u003eOPERATION_ID\u003c/var\u003e\"\n ```\n\n \u003cbr /\u003e\n\nCheck CMEK settings\n-------------------\n\nUse the `GetEncryptionSpec` API to check the encryption key configured for a location.\n\nFor example:\n\n\u003cbr /\u003e\n\n```bash\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/encryptionSpec\"\n \n```\n\n\u003cbr /\u003e\n\nRevoke keys\n-----------\n\nTo revoke Conversational Agents (Dialogflow CX) access to the key, you could [disable the KMS key version](/kms/docs/iam#revoking_access_to_a_resource) or [remove](/kms/docs/iam#revoking_access_to_a_resource) the service account's [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter) role from the KMS key.\n\nAfter key revocation the encrypted data will become inaccessible to Conversational Agents (Dialogflow CX) and the service will no longer be in an operational state until the key permissions are reinstated.\n| **Warning:** If you have revoked the key for more than 30 days, the Conversational Agents (Dialogflow CX) data encrypted by that key will be lost."]]