Vision API memiliki dua permintaan anotasi asinkron batch:
AsyncBatchAnnotateImages dan
AsyncBatchAnnotateFiles. Metode ini menyimpan
data Anda di disk secara internal selama pemrosesan (lihat
FAQ Penggunaan Data untuk informasi lebih lanjut). Bagian lain dari topik ini
menjelaskan kepatuhan CMEK di Vision API, dan bagaimana data
sementara ini dilindungi dalam penyimpanan. Untuk informasi selengkapnya tentang CMEK secara umum, lihat
dokumentasi Cloud Key Management Service tentang CMEK.
Cara kerja kepatuhan CMEK di Vision API
Di Vision API, metode permintaan anotasi batch bersifat
sinkron atau asinkron.
Metode sinkron Vision API tidak mempertahankan data ke disk, sehingga
secara otomatis mematuhi CMEK, tanpa memerlukan konfigurasi:
Metode asinkron Vision API mempertahankan data ke disk untuk sementara
(lihat FAQ Penggunaan Data). Metode ini otomatis
sesuai dengan CMEK, tanpa perlu konfigurasi:
Sebelum Vision API menulis data ke disk, data otomatis
dienkripsi menggunakan kunci ephemeral yang disebut kunci enkripsi data (DEK). DEK
baru otomatis dibuat untuk setiap permintaan anotasi asinkron.
DEK itu sendiri dienkripsi oleh kunci lain yang disebut kunci enkripsi kunci (KEK).
KEK tidak dapat diakses oleh engineer atau staf dukungan Google.
Saat kunci ephemeral (DEK) yang digunakan untuk mengenkripsi
data sementara dihancurkan, data sementara tidak dapat lagi
diakses, meskipun data belum dihapus.
Vision API menulis hasil permintaan anotasi batch ke bucket Cloud
Storage Anda, yang juga memiliki dukungan untuk CMEK. Disarankan
untuk menyiapkan kunci enkripsi default pada bucket input dan output
Anda.
Untuk informasi selengkapnya tentang penggunaan data di Vision API, lihat
FAQ Penggunaan Data.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-02 UTC."],[],[],null,["# CMEK compliance in Vision API\n\nBy default, Google Cloud automatically [encrypts data when it is at\nrest](/security/encryption/default-encryption) using encryption keys\nmanaged by Google.\n\nVision API has two batch asynchronous annotation requests:\n[AsyncBatchAnnotateImages](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.AsyncBatchAnnotateImages) and\n[AsyncBatchAnnotateFiles](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.AsyncBatchAnnotateFiles). These methods store\nyour data on disk internally during processing (see the\n[Data Usage FAQ](/vision/docs/data-usage) for more information). The rest of this topic\ndescribes CMEK compliance in Vision API, and how this temporary\ndata is protected at rest. For more information about CMEK in general, see the\n[Cloud Key Management Service documentation about CMEK](/kms/docs/cmek).\n\nHow CMEK compliance works in Vision API\n---------------------------------------\n\nIn Vision API, batch annotation request methods are either\nsynchronous or asynchronous.\n\n- Synchronous Vision API methods don't persist data to disk and thus are\n automatically CMEK-compliant, with no configuration required:\n\n - [BatchAnnotateImages](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.BatchAnnotateImages)\n - [BatchAnnotateFiles](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.BatchAnnotateFiles)\n- Asynchronous Vision API methods do persist data to disk temporarily\n (see [Data Usage FAQ](/vision/docs/data-usage)). These methods are automatically\n CMEK-compliant, with no configuration required:\n\n - [AsyncBatchAnnotateImages](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.AsyncBatchAnnotateImages)\n - [AsyncBatchAnnotateFiles](/vision/docs/reference/rpc/google.cloud.vision.v1#google.cloud.vision.v1.ImageAnnotator.AsyncBatchAnnotateFiles)\n\nBefore Vision API writes data to disk, the data is automatically\nencrypted using an ephemeral key called a data-encryption key (DEK). A\nnew DEK is automatically generated for each asynchronous annotation request.\n\nThe DEK itself is encrypted by another key called the key encryption key (KEK).\nThe KEK is not accessible to Google engineers or support staff.\n\nWhen the ephemeral key (DEK) that was used to encrypt\nits temporary data is destroyed, the temporary data can no longer be\naccessed, even if the data hasn't been deleted yet.\n\nVision API writes the results of a batch annotation request to your\nCloud Storage bucket, which also has support for CMEK. It is recommended\nto set up a [default encryption key](/storage/docs/encryption/using-customer-managed-keys#using_default_encryption_keys) on your input and output\nbuckets.\n| **Note:** CMEK keys are not supported for [Product Search](/vision/product-search/docs).\n\nFor more information about data usage in Vision API, see the\n[Data Usage FAQ](/vision/docs/data-usage).\n\nWhat's next?\n------------\n\n- Learn more about [Batch annotation requests](/vision/docs/batch)\n- Learn more about [CMEK](/kms/docs/cmek)\n- Learn more about [Cloud KMS](/kms/docs)"]]
