CMEK compliance in Vision API

By default, Google Cloud automatically encrypts data when it is at rest using encryption keys managed by Google.

Vision API has two batch asynchronous annotation requests: AsyncBatchAnnotateImages and AsyncBatchAnnotateFiles. These methods store your data on disk internally during processing (see the Data Usage FAQ for more information). The rest of this topic describes CMEK compliance in Vision API, and how this temporary data is protected at rest. For more information about CMEK in general, see the Cloud Key Management Service documentation about CMEK.

How CMEK compliance works in Vision API

In Vision API, batch annotation request methods are either synchronous or asynchronous.

Before Vision API writes data to disk, the data is automatically encrypted using an ephemeral key called a data-encryption key (DEK). A new DEK is automatically generated for each asynchronous annotation request.

The DEK itself is encrypted by another key called the key encryption key (KEK). The KEK is not accessible to Google engineers or support staff.

When the ephemeral key (DEK) that was used to encrypt its temporary data is destroyed, the temporary data can no longer be accessed, even if the data hasn't been deleted yet.

Vision API writes the results of a batch annotation request to your Cloud Storage bucket, which also has support for CMEK. It is recommended to set up a default encryption key on your input and output buckets.

For more information about data usage in Vision API, see the Data Usage FAQ.

What's next?