Compatible services
This page provides a list of Google Cloud services that offer integrations withCloud KMS. These services generally fall under one of the followingcategories:
ACustomer-managed encryption key (CMEK) integrationallows you to encrypt the data at rest in that service using aCloud KMS key that you own and manage. Data protected with aCMEK key cannot be decrypted without access to that key.
ACMEK-compliant service either does not store data, oronly stores data for a short period of time, such as during batch processing.Such data is encrypted using an ephemeral key that only exists in memory andis never written to disk. When the data is no longer needed, the ephemeral keyis flushed from memory, and the data can't ever be accessed again. The outputof a CMEK-compliant service might be stored in a service that is integratedwith CMEK, such as Cloud Storage.
Your applications canuse Cloud KMS in other ways. Forexample, you can directly encrypt application data before transmitting orstoring it.
To learn more about how data in Google Cloud is protected at rest andhow customer-managed encryption keys (CMEK) work, seeCustomer-managed encryption keys (CMEK).
CMEK integrations
The following table lists services that integrate with Cloud KMS.All services in this list support software and hardware (HSM) keys.Products that integrate with Cloud KMS when using externalCloud EKM keys are indicated underEKM supported.
| Service | Protected with CMEK | EKM supported | Topic |
|---|---|---|---|
| Agent Assist | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| AlloyDB for PostgreSQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Anti Money Laundering AI | Data in AML AI instance resources | No | Encrypt data using customer-managed encryption keys (CMEK) |
| Apigee | Data at rest | No | Introduction to CMEK |
| Apigee API hub | Data at rest | Yes | Encryption |
| Application Integration | Data at rest | Yes | Using customer-managed encryption keys |
| Artifact Registry | Data in repositories | Yes | Enabling customer-managed encryption keys |
| Backup and DR Service | Backup Vault Container | Yes | Managing Backup Vault encryption |
| Backup and DR Service | Backups at rest | Yes | Managing backup encryption |
| Backup for GKE | Data in Backup for GKE | Yes | About Backup for GKE CMEK encryption |
| BigQuery | Data in BigQuery | Yes | Protecting data with Cloud KMS keys |
| Bigtable | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Cloud Composer | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Data Fusion | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Healthcare API | Cloud Healthcare API datasets | Yes | Use customer-managed encryption keys (CMEK) |
| Cloud Logging | Data in the Log Router | Yes | Manage the keys that protect Log Router data |
| Cloud Logging | Data in Logging storage | Yes | Manage the keys that protect Logging storage data |
| Cloud Run | Container image | Yes | Using customer-managed encryption keys with Cloud Run |
| Cloud Run functions | Data in Cloud Run functions | Yes | Using customer-managed encryption keys |
| Cloud SQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Cloud Storage | Data in storage buckets | Yes | Using customer-managed encryption keys |
| Cloud Tasks | Task body and header at rest | Yes | Use customer-managed encryption keys |
| Cloud TPU | Persistent disks | No | Encrypt a TPU VM boot disk with a customer-managed encryption key (CMEK) |
| Cloud Workstations | Data on VM disks | Yes | Encrypt workstation resources |
| Colab Enterprise | Runtimes and notebook files | No | Use customer-managed encryption keys |
| Compute Engine | Persistent disks | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Snapshots | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Custom images | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Machine images | Yes | Protecting resources with Cloud KMS keys |
| Customer Experience Insights | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | MySQL migrations - data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL migrations - Data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL to AlloyDB migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Homogeneous Migrations | SQL Server migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Heterogeneous Migrations | Oracle to PostgreSQL data at rest | Yes | Use customer-managed encryption keys (CMEK) for continuous migrations |
| Dataflow | Pipeline state data | Yes | Using customer-managed encryption keys |
| Dataform | Data in repositories | Yes | Use customer-managed encryption keys |
| Dataplex Universal Catalog | Data at rest | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc clusters data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc serverless data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc Metastore | Data at rest | Yes | Using customer-managed encryption keys |
| Datastream | Data in transit | Yes | Using customer-managed encryption keys (CMEK) |
| Dialogflow CX | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Document AI | Data at rest and data in use | Yes | Customer-managed encryption keys (CMEK) |
| Eventarc Advanced (Preview) | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Eventarc Standard | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Filestore | Data at rest | Yes | Encrypt data with customer-managed encryption keys |
| Firestore | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Gemini Code Assist | Data at rest | No | Encrypt data with customer-managed encryption keys |
| Gemini Enterprise - NotebookLM Enterprise | Data at rest | No | Customer-managed encryption keys |
| Gemini Enterprise Enterprise | Data at rest | No | Customer-managed encryption keys |
| Google Cloud Managed Lustre | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Google Cloud Managed Service for Apache Kafka | Data associated with topics | Yes | Configure message encryption |
| Google Cloud NetApp Volumes | Data at rest | Yes | Create a CMEK policy |
| Google Distributed Cloud | Data on Edge nodes | Yes | Local storage security |
| Google Kubernetes Engine | Data on VM disks | Yes | Using customer-managed encryption keys (CMEK) |
| Google Kubernetes Engine | Application-layer secrets | Yes | Application-layer Secrets encryption |
| Integration Connectors | Data at rest | Yes | Encryption methods |
| Looker (Google Cloud core) | Data at rest | Yes | Enable CMEK for Looker (Google Cloud core) |
| Memorystore for Redis | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Memorystore for Redis Cluster | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Memorystore for Valkey | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Migrate to Virtual Machines | Data migrated from VMware, AWS, and Azure VM sources | Yes | Use CMEK to encrypt data stored during a migration |
| Migrate to Virtual Machines | Data migrated from disk and machine image sources | Yes | Use CMEK to encrypt data on target disks and machine images |
| Parameter Manager | Parameter version payloads | Yes | Enable customer-managed encryption keys for Parameter Manager |
| Pub/Sub | Data associated with topics | Yes | Configuring message encryption |
| Secret Manager | Secret payloads | Yes | Enable Customer-Managed Encryption Keys for Secret Manager |
| Secure Source Manager | Instances | Yes | Encrypt data with customer-managed encryption keys |
| Security Command Center | Data at rest | Yes | Enable CMEK for Security Command Center |
| Spanner | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Speaker ID (Restricted GA) | Data at rest | Yes | Using customer-managed encryption keys |
| Speech-to-Text | Data at rest | Yes | Using customer-managed encryption keys |
| Vertex AI | Data associated with resources | Yes | Using customer-managed encryption keys |
| Vertex AI Search | Data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench managed notebooks (Deprecated) | User data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench user-managed notebooks (Deprecated) | Data on VM disks | No | Customer-managed encryption keys |
| Vertex AI Workbench instances | Data on VM disks | Yes | Customer-managed encryption keys |
| Workflows | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Workload Manager | Custom rule type evaluation data | Yes | Enable customer-managed encryption keys for evaluations |
CMEK-compliant services
The following table lists services that do not use customer-managed encryptionkeys (CMEKs) because they do not store data long term. For more information onwhy these services are considered CMEK compliant, seeCMEK compliance.
| Service | Topic |
|---|---|
| API Gateway | CMEK compliance in API Gateway |
| Cloud Build | CMEK compliance in Cloud Build |
| Container Registry | Using a storage bucket protected with CMEK |
| Cloud Vision | CMEK compliance in Vision API |
| Storage Transfer Service | Customer-managed encryption keys |
Other integrations with Cloud KMS
These pages discuss other ways to use Cloud KMS with otherGoogle Cloud services.
| Product | Topic |
|---|---|
| Any service | Encrypt application data before transmitting or storing it |
| Cloud Build | Encrypt resources before adding them to a build |
| Sensitive Data Protection | Create a wrapped key |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.