使用 Speech-to-Text API 移除密钥时,将创建不采用 CMEK 加密的新资源。现有资源仍使用之前加密的密钥进行加密。如果资源更新(使用 Update* 方法),则使用 Google 管理的默认加密重新加密。对于长时间运行的操作(如批量识别),如果处理过程尚未完成,则系统会使用 Google 管理的默认加密方法重新加密存储的操作。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-01。"],[],[],null,["# Encryption\n\nBy default, Speech-to-Text encrypts customer content at\nrest. Speech-to-Text handles encryption for you without any\nadditional actions on your part. This option is called *Google default encryption*.\n\nIf you want to control your encryption keys, then you can use customer-managed encryption keys\n(CMEKs) in [Cloud KMS](/kms/docs) with CMEK-integrated services including\nSpeech-to-Text. Using Cloud KMS keys gives you control over their protection\nlevel, location, rotation schedule, usage and access permissions, and cryptographic boundaries.\nUsing Cloud KMS also lets\nyou view audit logs and control key lifecycles.\n\nInstead of Google owning and managing the symmetric\n[key encryption keys (KEKs)](/kms/docs/envelope-encryption#key_encryption_keys) that protect your data, you control and\nmanage these keys in Cloud KMS.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nSpeech-to-Text resources is similar to using Google default encryption.\nFor more information about your encryption\noptions, see [Customer-managed encryption keys (CMEK)](/kms/docs/cmek).\n\n\nFor information about the specific benefits of using CMEK with Speech-to-Text\nresources, see [Understand CMEK for\nSpeech-to-Text resources](#understand-cmek-for-speech-resources).\n\nUnderstand CMEK for Speech-to-Text resources\n--------------------------------------------\n\nThe following conditions are true when a new key is set by using the\nSpeech-to-Text API:\n\n- Resources previously encrypted with the original key remain encrypted with that earlier key. If a resource is updated (using an `Update*` method), it is reencrypted with the new key.\n- Previously non-CMEK encrypted resources remain unencrypted. If a resource is updated (using an `Update*` method), it is then reencrypted with the new key. For long-running operations (like [batch recognition](/speech-to-text/v2/docs/batch-recognize)), if processing is ongoing and not finished, the stored operation is reencrypted with the new key.\n- Newly created resources are encrypted with the newly set key.\n\nWhen you remove a key by using the Speech-to-Text API, new resources\nare created without CMEK encryption. Existing resources remain encrypted\nwith the keys with which they were previously encrypted. If a resource is\nupdated (using an `Update*` method), it is reencrypted using the default\nencryption managed by Google. For long-running operations (like\n[batch recognition](/speech-to-text/v2/docs/batch-recognize)), if processing is ongoing and not\nfinished, the stored operation will be re-encrypted using the default encryption\nmanaged by Google.\n\nThe location of the Cloud KMS key used for encrypting\nSpeech-to-Text resources must match the Speech-to-Text\nendpoint used. For more information about Speech-to-Text locations, see\n[Speech-to-Text locations](/speech-to-text/v2/docs/locations). For more information about\nCloud KMS locations, see\n[Cloud KMS locations](/kms/docs/locations).\n\nCMEK-supported resources\n------------------------\n\nThe following are current Speech-to-Text resources covered by CMEK: \n\nWhat's next\n-----------\n\n- Learn [how to use encryption with\n Speech-to-Text](/speech-to-text/v2/docs/how-to-encryption)."]]