Encrypt data with customer-managed encryption keys
By default, Dataproc Metastore encrypts customer content at rest. Dataproc Metastore handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Dataproc Metastore. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyou view audit logs and control key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Dataproc Metastore resources is similar to using Google default encryption. For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).
Before you begin
Considerations
Consider the following points when using Dataproc Metastorewith CMEK.
Warning: Disabling or destroying the CMEK for a CMEK-enabledDataproc Metastore service makes the service unusable andunrecoverable.The Cloud Monitoring database doesn't support CMEK encryption. Instead,Google Cloud uses Google encryption keys to protect the names andservice configurations of your Dataproc Metastore services.
If you want your Dataproc Metastore service to run inside aVPC Service Controls perimeter, you mustadd the Cloud Key Management Service (Cloud KMS) API to the perimeter.
When you use aCloud External Key Manager key, Google has no control overthe availability of your externally managed key. If the key becomesunavailable during the Dataproc Metastore service creationperiod, the service creation fails. After aDataproc Metastore service is created, if the key becomesunavailable, the service becomes unavailable until the key becomes availableagain. For more considerations when using external keys, seeCloud EKM Considerations.
Limitations
Consider the following limitations when using Dataproc Metastorewith CMEK.
You can't enable CMEK on an existing service.
You can't rotate CMEKs used by a CMEK-enabled service.
You can't use CMEKs to encrypt user data in transit, such as userqueries and responses.
Configure CMEK for Dataproc Metastore
If you don't already have a Cloud KMS key, you can create one for yourDataproc Metastore service. Otherwise, you can skip this step anduse an existing key.
Optional: Create a new Cloud KMS key
To create a Cloud KMS key, you first create a key ring and thencreate a key that's stored inside the key ring.
To create a key ring
To create a key ring, run the followinggcloud kms keyrings createcommand.
gcloud kms keyrings createKEY_RING \ --project=PROJECT_ID \ --location=LOCATION
Replace the following:
KEY_RING: a name for your key ring.PROJECT_ID: the ID of the Google Cloud projectthat you want to create the key ring in.LOCATION: the region that you want to create thekey ring in.
To create a key
To create a key that's stored inside your key ring, run the followinggcloud kms keys createcommand.
gcloud kms keys createKEY_NAME \ --project=PROJECT_ID \ --location=LOCATION \ --keyring=KEY_RING \ --purpose=encryption
Replace the following:
KEY_NAME: the name of the key.KEY_RING: the name of the key ring that you createdin the preceding step.
Grant Cloud KMS key permissions
Use the following commands to grant Cloud KMS key permissions forDataproc Metastore:
Grant permissions to the Dataproc Metastore Service Agentservice account:
gcloud kms keys add-iam-policy-bindingKEY_NAME \ --locationLOCATION \ --keyringKEY_RING \ --member=serviceAccount:$(gcloud beta services identity create \ --service=metastore.googleapis.com 2>&1 | awk '{print $4}') \ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Grant permissions to the Cloud Storage service account:
gcloud storage service-agent --authorize-cmek projects/KEY_PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME
Create a single-region service with a CMEK key
Use the following steps to configure CMEK encryption for a single-regionDataproc Metastore service.
Console
In the Google Cloud console, go to the Dataproc Metastore page:
At the top of theDataproc Metastore page, clickCreate.
TheCreate service page opens.
Configure your service as needed.
UnderEncryption, clickCustomer-managed encryption key (CMEK).
Select the customer-managed key.
ClickSubmit.
Verify the service's encryption configuration:
In the Google Cloud console, go to the Dataproc Metastore page:
On theDataproc Metastore page, click the name of theservice you'd like to view.
TheService detail page opens.
Under theConfiguration tab, verify that the details show CMEK isenabled.
gcloud
To create a single-region service with CMEK encryption, run theGoogle Cloud
gcloud metastore services createcommand:gcloud metastore services createSERVICE \ --encryption-kms-key=KMS_KEY
Replace the following:
SERVICE: the name of the new service.KMS_KEY: the key resource ID.
Import and export data from and to a CMEK-enabled service
If you want your data to remain encrypted with a customer-managed key during animport, you must set CMEK on the Cloud Storage bucket beforeimporting data from it.
You can import from a non-CMEK-protected Cloud Storage bucket. Afterimporting, the data stored in Dataproc Metastore is protectedaccording to the destination service's CMEK settings.
When exporting, the exported database dump is protected according to thedestination storage bucket's CMEK settings.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.