Stay organized with collections
Save and categorize content based on your preferences.
Customer-managed encryption keys
By default, Integration Connectors encrypts customer content at
rest. Integration Connectors handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
Integration Connectors. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you view audit logs and control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Integration Connectors resources is similar to using Google default encryption.
For more information about your encryption
options, see Customer-managed encryption keys (CMEK).
Before you begin
Ensure that the following tasks are completed before using CMEK for Integration Connectors:
Enable the Cloud KMS API for the project that will store your encryption keys.
In order to use a CMEK key in Integration Connectors, you must ensure that your default service account (having the format service-PROJECT_NUMBER@gcp-sa-connectors.iam.gserviceaccount.com) is added and assigned with the CryptoKey Encrypter/Decrypter IAM role for that CMEK key.
In the Google Cloud console, go to the Key Inventory page.
The Permissions tab in the right window pane becomes available.
Click Add principal, and enter the email address of the default service account.
Click Select a role and select the Cloud KMS CryptoKey Encrypter/Decrypter role from the available dropdown list.
Click Save.
Enable CMEK encryption for an existing Integration Connectors region
You can use CMEK to encrypt and
decrypt the supported data
stored in a region (also referred as location). To enable CMEK encryption
for an existing Integration Connectors region, do the following steps:
In the Google Cloud console, go to the Integration Connectors > Connections page.
Go to the Integration Connectors > Regions page.
This lists all the regions where Integration Connectors is available.
For the region in which you want to enable CMEK, click Edit encryption in the Actions menu.
This shows the Edit encryption pane.
Select Customer-managed encryption key (CMEK), and then select the required key from the
Customer-managed key drop-down list.
This may prompt you to grant to cloudkms.cryptoKeyEncrypterDecrypter role to the
service account. Click Grant.
Click Done.
Enable CMEK encryption for a new Integration Connectors region
You can use CMEK to encrypt and
decrypt the supported data
stored in a region (also referred as location). To enable CMEK encryption
for a new Integration Connectors region, do the following steps:
In the Google Cloud console, go to the Integration Connectors > Regions page.
Click Provision new region.
This displays the create region page.
Select the required region from the Region drop-down list.
In the Advanced settings section, select
Customer-managed encryption key (CMEK), and then select the required key from the
Customer-managed key drop-down list
This may prompt you to grant to cloudkms.cryptoKeyEncrypterDecrypter role to the
service account. Click Grant.
Click Done.
Cloud KMS quotas and Integration Connectors
When you use CMEK in Integration Connectors,
your projects can consume Cloud KMS cryptographic requests
quotas. For example, CMEK keys can consume these quotas for each encryption and decryption call.
Encryption and decryption operations
using CMEK keys affect Cloud KMS quotas in these ways:
For software CMEK keys generated in Cloud KMS, no
Cloud KMS quota is consumed.
For hardware CMEK keys—sometimes called Cloud HSM
keys—encryption and decryption operations count against
Cloud HSM quotas in the project that
contains the key.
For external CMEK keys—sometimes called Cloud EKM
keys—encryption and decryption operations count against
Cloud EKM quotas in the project that
contains the key.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eIntegration Connectors offers both Google default encryption and customer-managed encryption keys (CMEK) for encrypting customer content at rest, allowing users to control key protection, location, rotation, usage, access, and lifecycle management through Cloud KMS.\u003c/p\u003e\n"],["\u003cp\u003eBefore using CMEK, users must enable the Cloud KMS API, assign the necessary IAM roles or permissions, and create a key ring and key within the same region as their Integration Connectors setup.\u003c/p\u003e\n"],["\u003cp\u003eThe default service account for Integration Connectors must be granted the "Cloud KMS CryptoKey Encrypter/Decrypter" IAM role for the chosen CMEK key to ensure proper functionality.\u003c/p\u003e\n"],["\u003cp\u003eEnabling CMEK for an existing Integration Connectors region requires suspending all connections within that region, and once enabled, CMEK encryption cannot be undone or changed to a different encryption method.\u003c/p\u003e\n"],["\u003cp\u003eUsing CMEK in Integration Connectors can consume Cloud KMS cryptographic request quotas, depending on the type of CMEK key used (software, hardware, or external).\u003c/p\u003e\n"]]],[],null,["# Customer-managed encryption keys\n================================\n\nBy default, Integration Connectors encrypts customer content at\nrest. Integration Connectors handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nIntegration Connectors. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nIntegration Connectors resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\nBefore you begin\n----------------\n\nEnsure that the following tasks are completed before using CMEK for Integration Connectors:\n\n1. Enable the Cloud KMS API for the project that will store your encryption keys.\n [Enable Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com)\n\n | **Tip:** You can run Integration Connectors and Cloud KMS in the same Google Cloud project, or in different projects.\n2. Assign the **Cloud KMS Admin** IAM role or grant the following IAM permissions for the project that will store your encryption keys:\n - `cloudkms.cryptoKeys.setIamPolicy`\n - `cloudkms.keyRings.create`\n - `cloudkms.cryptoKeys.create`\n\n For information about granting additional roles or permissions, see [Granting, changing, and revoking access](/iam/docs/granting-changing-revoking-access).\n | **Caution:**The Cloud KMS Admin role contains permissions for key maintenance and key version destruction. To protect your Cloud KMS resources, this role should only be assigned to individuals responsible for key administration.\n3. Create a [key ring](/kms/docs/creating-keys#create_a_key_ring) and a [key](/kms/docs/creating-keys#create_a_key). **Note:**The key ring must be created in the same region where you have set up Integration Connectors.\n\nAdd service account to CMEK key\n-------------------------------\n\n\nIn order to use a CMEK key in Integration Connectors, you must ensure that your default service account (having the format `service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@gcp-sa-connectors.iam.gserviceaccount.com`) is added and assigned with the [CryptoKey Encrypter/Decrypter](/iam/docs/understanding-roles#cloud-kms-roles) IAM role for that CMEK key.\n| **Note:** The default service account may not exist if you are provisioning the first region. To generate the service account, run the `gcloud beta services identity create --service=connectors.googleapis.com --project=`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e command.\n\n1. In the Google Cloud console, go to the **Key Inventory** page.\n\n\n [Go to Key Inventory page](https://console.cloud.google.com/security/kms/keys)\n2. Select the checkbox for the desired CMEK key. The **Permissions** tab in the right window pane becomes available.\n\n3. Click **Add principal**, and enter the email address of the default service account.\n4. Click **Select a role** and select the **Cloud KMS CryptoKey Encrypter/Decrypter** role from the available dropdown list.\n5. Click **Save**.\n\nEnable CMEK encryption for an existing Integration Connectors region\n--------------------------------------------------------------------\n\n| **Caution:**\n|\n| - Enabling CMEK encryption for an Integration Connectors region cannot be undone. This also means that you can't change the encryption method for a region if CMEK is already enabled.\n| - You can enable CMEK for an Integration Connectors region only when all the connections in that region are `SUSPENDED`. Therefore, before you enable CMEK for an existing region that has connections, you must [suspend all the connections](/integration-connectors/docs/suspend-resume-connection#suspend-a-connection) in the region.\n\nYou can use CMEK to encrypt and\ndecrypt the [supported data](/integration-connectors/docs/encryption#data)\nstored in a region (also referred as location). To enable CMEK encryption\nfor an existing Integration Connectors region, do the following steps:\n\n1. In the Google Cloud console, go to the **Integration Connectors \\\u003e Connections** page.\n\n\n [Go to all connections](https://console.cloud.google.com/connectors/connections) page.\n2. Filter the connections for the required **Location** .\n\n You will get a list of all the connections for the specified location (region).\n3. [Suspend all the connections](/integration-connectors/docs/suspend-resume-connection#suspend-a-connection) in the region.\n4. Go to the **Integration Connectors \\\u003e Regions** page. This lists all the regions where Integration Connectors is available.\n5. For the region in which you want to enable CMEK, click **Edit encryption** in the **Actions** menu. This shows the **Edit encryption** pane.\n6. Select **Customer-managed encryption key (CMEK)** , and then select the required key from the **Customer-managed key** drop-down list.\n\n This may prompt you to grant to `cloudkms.cryptoKeyEncrypterDecrypter` role to the\n service account. Click **Grant**.\n7. Click **Done**.\n\nEnable CMEK encryption for a new Integration Connectors region\n--------------------------------------------------------------\n\n| **Caution:**Enabling CMEK encryption for an Integration Connectors region cannot be undone.\n\nYou can use CMEK to encrypt and\ndecrypt the [supported data](/integration-connectors/docs/encryption#data)\nstored in a region (also referred as location). To enable CMEK encryption\nfor a new Integration Connectors region, do the following steps:\n\n1. In the Google Cloud console, go to the **Integration Connectors \\\u003e Regions** page.\n\n\n [Go to Regions](https://console.cloud.google.com/connectors/regions) page.\n2. Click **Provision new region**. This displays the create region page.\n3. Select the required region from the **Region** drop-down list.\n4. In the **Advanced settings** section, select **Customer-managed encryption key (CMEK)** , and then select the required key from the **Customer-managed key** drop-down list\n\n This may prompt you to grant to `cloudkms.cryptoKeyEncrypterDecrypter` role to the\n service account. Click **Grant**.\n5. Click **Done**.\n\nCloud KMS quotas and Integration Connectors\n-------------------------------------------\n\nWhen you use CMEK in Integration Connectors,\nyour projects can consume Cloud KMS cryptographic requests\nquotas. For example, CMEK keys can consume these quotas for each encryption and decryption call.\n\nEncryption and decryption operations\nusing CMEK keys affect Cloud KMS quotas in these ways:\n\n- For software CMEK keys generated in Cloud KMS, no Cloud KMS quota is consumed.\n- For hardware CMEK keys---sometimes called Cloud HSM keys---encryption and decryption operations count against [Cloud HSM quotas](/kms/quotas#hsm) in the project that contains the key.\n- For external CMEK keys---sometimes called Cloud EKM keys---encryption and decryption operations count against [Cloud EKM quotas](/kms/quotas#ekm) in the project that contains the key.\n\nFor more information, see\n[Cloud KMS quotas](/kms/quotas)."]]
