Beberapa produk dan fitur sedang dalam proses penggantian nama. Fitur playbook dan alur generatif juga dimigrasikan ke satu konsol gabungan. Lihat detailnya.
Kunci enkripsi yang dikelola pelanggan (Customer-Managed Encryption Key/CMEK)
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Secara default, Dialogflow mengenkripsi konten pelanggan dalam penyimpanan. Dialogflow menangani enkripsi untuk Anda tanpa perlu
tindakan tambahan dari Anda. Opsi ini disebut enkripsi default Google.
Enkripsi default Google menggunakan sistem pengelolaan kunci yang telah melalui proses hardening yang sama dengan yang kami gunakan untuk data terenkripsi kami sendiri. Sistem ini mencakup pengauditan dan kontrol akses kunci yang ketat.
Jika ingin mengontrol kunci enkripsi, Anda dapat menggunakan kunci enkripsi yang dikelola pelanggan (CMEK) di Cloud KMS dengan layanan yang terintegrasi dengan CMEK, termasuk Dialogflow. Dengan menggunakan kunci Cloud KMS, Anda dapat mengontrol tingkat perlindungan, lokasi, jadwal rotasi, izin penggunaan dan akses, serta batasan kriptografisnya.
Dengan Cloud KMS, Anda juga dapat melihat log audit dan mengontrol siklus proses kunci.
Alih-alih Google yang memiliki dan mengelola kunci enkripsi kunci (KEK) simetris yang melindungi data Anda, Anda yang mengontrol dan mengelola kunci ini di Cloud KMS.
Setelah Anda menyiapkan resource dengan CMEK, pengalaman mengakses resource Dialogflow Anda akan serupa dengan menggunakan enkripsi default Google.
Untuk mengetahui informasi selengkapnya tentang opsi enkripsi, lihat Kunci enkripsi yang dikelola pelanggan (CMEK).
Rotasi kunci didukung, tetapi enkripsi ulang data tidak didukung. Artinya, mengenkripsi ulang data yang sebelumnya dienkripsi dengan versi kunci baru tidak didukung.
Untuk
memulihkan agen
dengan CMEK yang diaktifkan,
Anda harus memilih opsi Cloud Storage.
Resource yang ada dalam project yang terintegrasi non-CMEK tidak dapat diintegrasikan dengan CMEK secara retroaktif. Sebaliknya, sebaiknya resource diekspor dan dipulihkan dalam project baru untuk CMEK.
Untuk membuat kunci, Anda menggunakan layanan KMS.
Untuk mengetahui petunjuknya, lihat
Membuat kunci simetris.
Saat membuat atau memilih kunci,
Anda harus mengonfigurasi hal berikut:
Pastikan untuk memilih
lokasi
yang Anda gunakan untuk agen Anda,
jika tidak, permintaan akan gagal.
Mengonfigurasi agen untuk menggunakan kunci Anda
Saat membuat agen, Anda dapat menentukan lokasi agen dan apakah agen akan menggunakan kunci yang dikelola Google atau kunci yang dikelola pelanggan yang sudah dikonfigurasi untuk lokasi tersebut.
Buat pilihan Anda saat ini.
Prasyarat
Buat Akun layanan CCAI CMEK untuk project Anda dengan Google Cloud CLI. Untuk mengetahui informasi selengkapnya, lihat dokumentasi identitas layanan gcloud.
Berikan peran Pengenkripsi/Pendekripsi CryptoKey Cloud KMS ke akun Layanan CMEK CCAI untuk memastikan bahwa layanan memiliki izin untuk mengenkripsi dan mendekripsi dengan kunci Anda.
Mengonfigurasi kunci untuk lokasi Agen Percakapan (Dialogflow CX)
Gunakan API InitializeEncryptionSpec untuk mengonfigurasi kunci.
Anda harus memberikan variabel berikut:
PROJECT_ID: ID project Google Cloud Anda.
LOCATION_ID: Lokasi yang Anda pilih untuk mengaktifkan CMEK di Agen Percakapan (Dialogflow CX).
KMS_KEY_RING: Key ring tempat kunci KMS Anda dibuat. (Lokasi di key ring, seperti projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KMS_KEY_RING, harus cocok dengan lokasi tempat Anda mengaktifkan CMEK.)
KMS_KEY_ID: Nama kunci KMS Anda yang akan digunakan untuk mengenkripsi dan mendekripsi data Agen Percakapan (Dialogflow CX) di lokasi yang dipilih.
Setelah pencabutan kunci, data terenkripsi tidak akan dapat diakses oleh Agen Percakapan (Dialogflow CX) dan layanan tidak akan lagi dalam status operasional hingga izin kunci diaktifkan kembali.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eDialogflow encrypts customer content at rest by default using Google default encryption, which includes strict key access controls and auditing.\u003c/p\u003e\n"],["\u003cp\u003eCustomers can opt to use customer-managed encryption keys (CMEKs) through Cloud KMS, allowing control over key protection level, location, rotation, usage, access, and cryptographic boundaries.\u003c/p\u003e\n"],["\u003cp\u003eOnce CMEKs are set up, the experience of accessing Dialogflow resources is similar to using Google default encryption, but you manage and control the key encryption keys.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring an agent to use CMEKs is done during agent creation, and the encryption key settings for a location cannot be changed once specified.\u003c/p\u003e\n"],["\u003cp\u003eTo revoke Conversational Agents' access to the key you can disable the KMS key version or remove the service account's permissions, however, data may be lost if the key is revoked for more than 30 days.\u003c/p\u003e\n"]]],[],null,["# Customer-managed encryption keys (CMEK)\n\nBy default, Dialogflow encrypts customer content at\nrest. Dialogflow handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\nGoogle default\nencryption uses the same hardened key management systems that we use for our\nown encrypted data. These systems include strict key access controls and\nauditing.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nDialogflow. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nDialogflow resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\nProtected data\n--------------\n\nAll Conversational Agents (Dialogflow CX) agent\n[data-at-rest](https://en.wikipedia.org/wiki/Data_at_rest)\ncan be protected with CMEKs.\n\nLimitations\n-----------\n\n- Key rotation is supported but data re-encryption is not. That is, re-encrypting previously encrypted data with a new key version is not supported.\n- The following [regions](/dialogflow/cx/docs/concept/region#avail) are not supported:\n - `global`\n- One key should be used per project location.\n- In order to [restore an agent](/dialogflow/cx/docs/concept/agent#export) with CMEK enabled, you must choose the Cloud Storage option.\n- Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.\n- [AI Applications](/generative-ai-app-builder/docs/introduction) has some [Cloud KMS Limitations](/generative-ai-app-builder/docs/cmek#limitations)\n\nCreate keys\n-----------\n\nTo create keys, you use the KMS service.\nFor instructions, see\n[Creating symmetric keys](/kms/docs/creating-keys).\nWhen creating or choosing a key,\nyou must configure the following:\n\n- Be sure to select the [location](/dialogflow/cx/docs/how/region) that you use for your agent, otherwise, requests will fail.\n\nConfigure an agent to use your keys\n-----------------------------------\n\nWhen you create an agent,\nyou can specify the agent\n[location](/dialogflow/cx/docs/how/region) and whether the agent will use a\nGoogle-managed or the already configured customer-managed key for that location.\nMake your selections at this time.\n| **Warning:** You cannot change encryption key settings for a location once it has been specified. In order to change a location, you must create a new project with the selected location and [import](/dialogflow/cx/docs/concept/agent#export) existing agents to the new project.\n\n### Prerequisites\n\n| **Note:** CCAI CMEK Service account is not visible in your project IAM.\n\n1. Create the CCAI CMEK Service account for your project with Google Cloud CLI. For more information,\n see [gcloud services identity documentation](https://cloud.google.com/sdk/gcloud/reference/beta/services/identity/create).\n\n ```bash\n gcloud beta services identity create --service=dialogflow.googleapis.com --project=PROJECT_ID\n ```\n\n The service account will be created. It won't be returned in the create response, but will have the following format: \n\n ```bash\n service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com\n ```\n2. Grant the CCAI CMEK Service account the [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter) role to ensure that the service has permissions to encrypt and decrypt with your key.\n\n ```bash\n gcloud kms keys add-iam-policy-binding KMS_KEY_ID \\\n --project=PROJECT_ID \\\n --location=LOCATION_ID \\\n --keyring=KMS_KEY_RING \\\n --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-ccai-cmek.iam.gserviceaccount.com \\\n --role=roles/cloudkms.cryptoKeyEncrypterDecrypter\n ```\n\n### Configure a key for Conversational Agents (Dialogflow CX) location\n\n1. Use the `InitializeEncryptionSpec` API to configure the key.\n\n You will need to provide the following variables:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e: The location you chose to enable CMEK in Conversational Agents (Dialogflow CX).\n - \u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e: The key ring your KMS key was created in. (The location in the key ring, like `projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e`/keyRings/`\u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e, must match the location where you're enabling CMEK.)\n - \u003cvar translate=\"no\"\u003eKMS_KEY_ID\u003c/var\u003e: The name of your KMS key that will be used to encrypt and decrypt Conversational Agents (Dialogflow CX) data in the selected location.\n\n For example: \n\n ```bash\n curl -X POST \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json; charset=utf-8\" \\\n -d \"{ encryption_spec: { kms_key: 'projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/keyRings/\u003cvar translate=\"no\"\u003eKMS_KEY_RING\u003c/var\u003e/cryptoKeys/\u003cvar translate=\"no\"\u003eKMS_KEY_ID\u003c/var\u003e' } }\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/encryptionSpec:initialize\"\n ```\n\n You should receive a JSON response similar to the following: \n\n ```json\n {\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/operations/\u003cvar translate=\"no\"\u003eOPERATION_ID\u003c/var\u003e\"\n }\n ```\n2. Use the `GetOperation` API to check the long-running operation result.\n\n For example: \n\n ```bash\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/operations/\u003cvar translate=\"no\"\u003eOPERATION_ID\u003c/var\u003e\"\n ```\n\n \u003cbr /\u003e\n\nCheck CMEK settings\n-------------------\n\nUse the `GetEncryptionSpec` API to check the encryption key configured for a location.\n\nFor example:\n\n\u003cbr /\u003e\n\n```bash\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e-dialogflow.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION_ID\u003c/var\u003e/encryptionSpec\"\n \n```\n\n\u003cbr /\u003e\n\nRevoke keys\n-----------\n\nTo revoke Conversational Agents (Dialogflow CX) access to the key, you could [disable the KMS key version](/kms/docs/iam#revoking_access_to_a_resource) or [remove](/kms/docs/iam#revoking_access_to_a_resource) the service account's [Cloud KMS CryptoKey Encrypter/Decrypter](/kms/docs/reference/permissions-and-roles#cloudkms.cryptoKeyEncrypterDecrypter) role from the KMS key.\n\nAfter key revocation the encrypted data will become inaccessible to Conversational Agents (Dialogflow CX) and the service will no longer be in an operational state until the key permissions are reinstated.\n| **Warning:** If you have revoked the key for more than 30 days, the Conversational Agents (Dialogflow CX) data encrypted by that key will be lost."]]