Stay organized with collections
Save and categorize content based on your preferences.
By default, Speech-to-Text encrypts customer content at
rest. Speech-to-Text handles encryption for you without any
additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys
(CMEKs) in Cloud KMS with CMEK-integrated services including
Speech-to-Text. Using Cloud KMS keys gives you control over their protection
level, location, rotation schedule, usage and access permissions, and cryptographic boundaries.
Using Cloud KMS also lets
you view audit logs and control key lifecycles.
Instead of Google owning and managing the symmetric
key encryption keys (KEKs) that protect your data, you control and
manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your
Speech-to-Text resources is similar to using Google default encryption.
For more information about your encryption
options, see Customer-managed encryption keys (CMEK).
The following conditions are true when a new key is set by using the
Speech-to-Text API:
Resources previously encrypted with the original key remain encrypted with
that earlier key. If a resource is updated (using an Update* method), it
is reencrypted with the new key.
Previously non-CMEK encrypted resources remain unencrypted. If a resource is
updated (using an Update* method), it is then reencrypted with the new
key. For long-running operations (like batch recognition),
if processing is ongoing and not finished, the stored operation is
reencrypted with the new key.
Newly created resources are encrypted with the newly set key.
When you remove a key by using the Speech-to-Text API, new resources
are created without CMEK encryption. Existing resources remain encrypted
with the keys with which they were previously encrypted. If a resource is
updated (using an Update* method), it is reencrypted using the default
encryption managed by Google. For long-running operations (like
batch recognition), if processing is ongoing and not
finished, the stored operation will be re-encrypted using the default encryption
managed by Google.
The location of the Cloud KMS key used for encrypting
Speech-to-Text resources must match the Speech-to-Text
endpoint used. For more information about Speech-to-Text locations, see
Speech-to-Text locations. For more information about
Cloud KMS locations, see
Cloud KMS locations.
CMEK-supported resources
The following are current Speech-to-Text resources covered by CMEK:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Encryption\n\nBy default, Speech-to-Text encrypts customer content at\nrest. Speech-to-Text handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nSpeech-to-Text. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nSpeech-to-Text resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\n\nFor information about the specific benefits of using CMEK with Speech-to-Text\nresources, see [Understand CMEK for\nSpeech-to-Text resources](#understand-cmek-for-speech-resources).\n\nUnderstand CMEK for Speech-to-Text resources\n--------------------------------------------\n\nThe following conditions are true when a new key is set by using the\nSpeech-to-Text API:\n\n- Resources previously encrypted with the original key remain encrypted with that earlier key. If a resource is updated (using an `Update*` method), it is reencrypted with the new key.\n- Previously non-CMEK encrypted resources remain unencrypted. If a resource is updated (using an `Update*` method), it is then reencrypted with the new key. For long-running operations (like [batch recognition](/speech-to-text/v2/docs/batch-recognize)), if processing is ongoing and not finished, the stored operation is reencrypted with the new key.\n- Newly created resources are encrypted with the newly set key.\n\nWhen you remove a key by using the Speech-to-Text API, new resources\nare created without CMEK encryption. Existing resources remain encrypted\nwith the keys with which they were previously encrypted. If a resource is\nupdated (using an `Update*` method), it is reencrypted using the default\nencryption managed by Google. For long-running operations (like\n[batch recognition](/speech-to-text/v2/docs/batch-recognize)), if processing is ongoing and not\nfinished, the stored operation will be re-encrypted using the default encryption\nmanaged by Google.\n\nThe location of the Cloud KMS key used for encrypting\nSpeech-to-Text resources must match the Speech-to-Text\nendpoint used. For more information about Speech-to-Text locations, see\n[Speech-to-Text locations](/speech-to-text/v2/docs/locations). For more information about\nCloud KMS locations, see\n[Cloud KMS locations](/kms/docs/locations).\n\nCMEK-supported resources\n------------------------\n\nThe following are current Speech-to-Text resources covered by CMEK: \n\nWhat's next\n-----------\n\n- Learn [how to use encryption with\n Speech-to-Text](/speech-to-text/v2/docs/how-to-encryption)."]]
