Stay organized with collections
Save and categorize content based on your preferences.
This page provides instructions for creating a Memorystore for Redis instance
that uses customer-managed encryption keys. It also provides instructions for
managing instances that use CMEK. For more information about customer-managed
encryption keys for Memorystore, see Customer-managed encryption keys.
Before you begin
Make sure you have the Redis Admin role
on your user account.
Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the
ID (KMS_KEYRING_ID) for the keyring. You need this information when granting
the service account access to the key.
Your Memorystore for Redis instance is now enabled with CMEK.
Creating a key and keyring
Follow instructions to create a keyring
and create a key. Both must be in the
same region as your Redis instance. The key can be from a different project, as
long as the key is in the same region. Also, the key must use the symmetric encryption algorithn.
Granting the service account access to the key
In order to create a Redis instance that uses CMEK first you must grant a
specific Memorystore service account access to the key. Grant
access to the Memorystore service account that uses the following
format:
Creating a Memorystore for Redis instance that uses CMEK
To create an instance with customer-managed encryption keys:
Console
Begin by having a keyring and key
in the same region where you want to create your Memorystore instance.
Follow the instructions at Creating a Redis instance on a VPC network
until you reach the step for enabling a customer-managed encryption key,
then return to these instructions.
Select Use a customer-managed encryption key (CMEK).
Use the dropdown menu to select your key.
If the Memorystore service account has not been granted the
permissions it needs, a text box appears saying:
The service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com service
account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role.
Verify the service account has permission to encrypt/decrypt with the
selected key.
Click the Grant button to grant the role permission to the
Memorystore service account.
Finish selecting your desired configurations for your instance, and click
the Create button to create your CMEK enabled Memorystore for Redis
instance.
gcloud
To create an instance that uses customer-managed encryption keys enter the
following command, replacing VARIABLES with appropriate values:
View the Instance details page for your instance by clicking your
Instance ID.
Click the Security tab.
The Encryption with a customer managed key section contains a link to the
active key, and shows the key reference path. If this section does not appear,
CMEK is not enabled for your instance.
gcloud
To verify if CMEK is enabled, and to see the key reference, view the
customerManagedKey field by running the following command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Use customer-managed encryption keys (CMEK)\n\nThis page provides instructions for creating a Memorystore for Redis instance\nthat uses customer-managed encryption keys. It also provides instructions for\nmanaging instances that use CMEK. For more information about customer-managed\nencryption keys for Memorystore, see [Customer-managed encryption keys](/memorystore/docs/redis/cmek).\n| **Note:** You cannot enable CMEK on existing Memorystore for Redis instances.\n\nBefore you begin\n----------------\n\n1. Make sure you have the Redis Admin [role](/memorystore/docs/redis/access-control)\n on your user account.\n\n [Go to the IAM page](https://console.cloud.google.com/iam-admin/iam)\n\nWorkflow to create an instance that uses CMEK\n---------------------------------------------\n\n1. [Create a keyring](/kms/docs/creating-keys#create_a_key_ring) and\n [create a key](/kms/docs/creating-keys#create_a_key)\n in the location where you want the Memorystore instance to be.\n\n2. Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the\n ID (KMS_KEYRING_ID) for the keyring. You need this information when granting\n the service account access to the key.\n\n3. [Grant the Memorystore service account access to the key](/memorystore/docs/redis/configure-cmek#granting_the_service_account_access_to_the_key).\n\n4. Go to a project and [create a Memorystore for Redis instance with CMEK enabled](#creating_a_memorystore_for_redis_instance_that_uses_cmek)\n in the same region as the keyring and key.\n\nYour Memorystore for Redis instance is now enabled with CMEK.\n\nCreating a key and keyring\n--------------------------\n\nFollow instructions to [create a keyring](/kms/docs/creating-keys#create_a_key_ring)\nand [create a key](/kms/docs/creating-keys#create_a_key). Both must be in the\nsame region as your Redis instance. The key can be from a different project, as\nlong as the key is in the same region. Also, the key must use the [symmetric encryption algorithn](/kms/docs/algorithms#symmetric_encryption_algorithms).\n\nGranting the service account access to the key\n----------------------------------------------\n\nIn order to create a Redis instance that uses CMEK first you must grant a\nspecific Memorystore service account access to the key. Grant\naccess to the Memorystore service account that uses the following\nformat:\n\n`service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com` \n\n### Console\n\nWhen using the console, you grant the service account access to the key as\npart of the steps for [creating a redis instance that uses CMEK](/memorystore/docs/redis/configure-cmek#creating_a_memorystore_for_redis_instance_that_uses_cmek).\n\n### gcloud\n\nTo grant the service account access to the key, run the following command\nreplacing \u003cvar translate=\"no\"\u003eVARIABLES\u003c/var\u003e with appropriate values: \n\n```\ngcloud kms keys add-iam-policy-binding [KMS_KEY_ID] \\\n--location=[REGION_ID] \\\n--keyring=[KMS_KEYRING_ID] \\\n--member=serviceAccount:service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com \\\n--role=roles/cloudkms.cryptoKeyEncrypterDecrypter\n```\n\nCreating a Memorystore for Redis instance that uses CMEK\n--------------------------------------------------------\n\n| **Note:** You can't enable customer-managed encryption keys on existing instances.\n\nTo create an instance with customer-managed encryption keys: \n\n### Console\n\n1. Begin by [having a keyring and key](/memorystore/docs/redis/configure-cmek#creating_a_key_and_keyring)\n in the same region where you want to create your Memorystore instance.\n\n2. Follow the instructions at [Creating a Redis instance on a VPC network](/memorystore/docs/redis/create-manage-instances#creating_a_redis_instance_on_a_vpc_network)\n until you reach the step for enabling a customer-managed encryption key,\n then return to these instructions.\n\n3. Select **Use a customer-managed encryption key (CMEK)**.\n\n4. Use the dropdown menu to select your key.\n\n5. If the Memorystore service account has not been granted the\n permissions it needs, a text box appears saying:\n\n `The service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com service\n account does not have the \"cloudkms.cryptoKeyEncrypterDecrypter\" role.\n Verify the service account has permission to encrypt/decrypt with the\n selected key.`\n - Click the **Grant** button to grant the role permission to the Memorystore service account.\n6. Finish selecting your desired configurations for your instance, and click\n the **Create** button to create your CMEK enabled Memorystore for Redis\n instance.\n\n### gcloud\n\nTo create an instance that uses customer-managed encryption keys enter the\nfollowing command, replacing \u003cvar translate=\"no\"\u003eVARIABLES\u003c/var\u003e with appropriate values: \n\n```\ngcloud redis instances create [INSTANCE_ID] \\\n--size=[SIZE] \\\n--region=[REGION_ID] \\\n--customer-managed-key=projects/[PROJECT_NAME]/locations/[REGION_ID]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME]\n```\n\nViewing key information for a CMEK-enabled instance\n---------------------------------------------------\n\nFollow these instructions to see if CMEK is enabled for your instance, and to\nview the active key. \n\n### Console\n\n1. In the Google Cloud Console, go to the Memorystore for Redis Instances page.\n\n [Memorystore for Redis](https://console.cloud.google.com/memorystore/redis/instances?)\n2. View the *Instance details* page for your instance by clicking your\n *Instance ID*.\n\n3. Click the **Security** tab.\n\n4. The **Encryption with a customer managed key** section contains a link to the\n active key, and shows the key reference path. If this section does not appear,\n CMEK is not enabled for your instance.\n\n### gcloud\n\nTo verify if CMEK is enabled, and to see the key reference, view the\n`customerManagedKey` field by running the following command: \n\n```\ngcloud redis instances describe INSTANCE_ID \\\n--project=PROJECT \\\n--region=REGION\n```\n\nDisabling and re-enabling key versions\n--------------------------------------\n\nFor information about what happens when you disable, enable, destroy, or\nre-enable a key version, see [Behavior of destroying/disabling a CMEK key version](/memorystore/docs/redis/cmek#behavior_of_destroyingdisabling_a_cmek_key_version).\n\nFor instructions on how to disable and re-enable key versions, see [Enabling and disabling key versions](/kms/docs/enable-disable).\n\nFor instructions on how to disable and re-enable key versions, see [Destroying and restoring key versions](/kms/docs/destroy-restore).\n\nWhat's next\n-----------\n\n- Learn more about [Redis AUTH](/memorystore/docs/redis/auth-overview).\n- Learn more about [In-transit encryption](/memorystore/docs/redis/in-transit-encryption)."]]
