Use Cloud KMS keys in Google Cloud
This page explains how to use Cloud KMS customer-managed encryptionkeys in other Google Cloud services to secure your resources. For moreinformation, seeCustomer-managed encryption keys (CMEK).
When a service supports CMEK, it's said to have aCMEK integration. Some services, such as GKE, have multipleCMEK integrations for protecting different types of data related to the service.For a list of services with CMEK integrations, seeEnable CMEK for supportedservices on this page.
Before you begin
Before you can use Cloud KMS keys in other Google Cloud services,you must have a project resource to contain your Cloud KMS keys. Werecommend using a separate project for your Cloud KMS resources thatdoes not contain any other Google Cloud resources.
CMEK integrations
Prepare to enable CMEK integration
For the exact steps to enable CMEK, see the documentation for the relevantGoogle Cloud service. You can find a link to the CMEK documentation foreach service inEnable CMEK for supported services onthis page. For each service, you can expect to follow steps similar to thefollowing:
Create a key ring or select an existing keyring. The key ring should be located as geographically near as possible tothe resources you want to secure.
In the selected key ring,create a key or selectan existing key. Ensure that the protection level, purpose, and algorithmfor the key are appropriate for the resources you want to protect. This keyis the CMEK key.
Get the resource ID for the CMEKkey.You need this resource ID later.
Grant theCryptoKey Encrypter/Decrypter IAMrole(
Note: You can grant the Cloud KMS CryptoKey Encrypter/Decrypterrole at the key, key ring, project, folder, or organization level. To followthe principle of least privilege, we recommend granting this role at thelowest level that meets your needs.Caution: As long as your service account has the Cloud KMSCryptoKey Encrypter/Decrypter role, the service can encrypt and decrypt itsdata. If you revoke the role or if you disable or destroy the CMEK key, thedata can no longer be accessed. Leaving your CMEK key inaccessible canaffect your services.roles/cloudkms.cryptoKeyEncrypterDecrypter) on the CMEK key to theservice account for the service.
After you have created the key and assigned the required permissions, you cancreate or configure a service to use your CMEK key.
Note: Some services only let you configure CMEK keys at the time the resource iscreated. Other services let you enable and disable CMEK keys on existingresources.Use Cloud KMS keys with CMEK-integrated services
The following steps use Secret Manager as an example. For the exactsteps to use a Cloud KMS CMEK key in a given service, locate thatservice in thelist of CMEK-integrated services.
In Secret Manager, you can use a CMEK to protect data at rest.
In the Google Cloud console, go to theSecret Manager page.
To create a secret, clickCreate Secret.
In theEncryption section, selectUse a customer-managed encryptionkey (CMEK).
In theEncryption key box do the following:
Optional: To use a key in another project, do the following:
- ClickSwitch project.
- Enter all or part of the project name in the search bar, then selectthe project.
- To view available keys for the selected project, clickSelect.
Optional: To filter available keys by location, key ring, name, orprotection level, enter search terms in the filter bar.
Select a key from the list of available keys in the selected project.You can use the displayed location, key ring, and protection leveldetails to be sure you choose the correct key.
If the key you want to use is not shown in the list, then clickEnterkey manually and enter theresource ID of thekey
Finish configuring your secret, and then clickCreate secret.Secret Manager creates the secret and encrypts it using thespecified CMEK key.
Enable CMEK for supported services
To enable CMEK, first locate the desired service in the following table. You canenter search terms in the field to filter the table.All services in this list support software and hardware (HSM) keys.Products that integrate with Cloud KMS when using externalCloud EKM keys are indicated in theEKM supportedcolumn.
Follow the instructions for each service you want to enable CMEK keys for.
| Service | Protected with CMEK | EKM supported | Topic |
|---|---|---|---|
| Agent Assist | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| AlloyDB for PostgreSQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Anti Money Laundering AI | Data in AML AI instance resources | No | Encrypt data using customer-managed encryption keys (CMEK) |
| Apigee | Data at rest | No | Introduction to CMEK |
| Apigee API hub | Data at rest | Yes | Encryption |
| Application Integration | Data at rest | Yes | Using customer-managed encryption keys |
| Artifact Registry | Data in repositories | Yes | Enabling customer-managed encryption keys |
| Backup and DR Service | Backup Vault Container | Yes | Managing Backup Vault encryption |
| Backup and DR Service | Backups at rest | Yes | Managing backup encryption |
| Backup for GKE | Data in Backup for GKE | Yes | About Backup for GKE CMEK encryption |
| BigQuery | Data in BigQuery | Yes | Protecting data with Cloud KMS keys |
| Bigtable | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Cloud Composer | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Data Fusion | Environment data | Yes | Using customer-managed encryption keys |
| Cloud Healthcare API | Cloud Healthcare API datasets | Yes | Use customer-managed encryption keys (CMEK) |
| Cloud Logging | Data in the Log Router | Yes | Manage the keys that protect Log Router data |
| Cloud Logging | Data in Logging storage | Yes | Manage the keys that protect Logging storage data |
| Cloud Run | Container image | Yes | Using customer-managed encryption keys with Cloud Run |
| Cloud Run functions | Data in Cloud Run functions | Yes | Using customer-managed encryption keys |
| Cloud SQL | Data written to databases | Yes | Using customer-managed encryption keys |
| Cloud Storage | Data in storage buckets | Yes | Using customer-managed encryption keys |
| Cloud Tasks | Task body and header at rest | Yes | Use customer-managed encryption keys |
| Cloud TPU | Persistent disks | No | Encrypt a TPU VM boot disk with a customer-managed encryption key (CMEK) |
| Cloud Workstations | Data on VM disks | Yes | Encrypt workstation resources |
| Colab Enterprise | Runtimes and notebook files | No | Use customer-managed encryption keys |
| Compute Engine | Persistent disks | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Snapshots | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Custom images | Yes | Protecting resources with Cloud KMS keys |
| Compute Engine | Machine images | Yes | Protecting resources with Cloud KMS keys |
| Customer Experience Insights | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | MySQL migrations - data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL migrations - Data written to databases | Yes | Using customer-managed encryption keys (CMEK) |
| Database Migration Service Homogeneous Migrations | PostgreSQL to AlloyDB migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Homogeneous Migrations | SQL Server migrations - Data written to databases | Yes | About CMEK |
| Database Migration Service Heterogeneous Migrations | Oracle to PostgreSQL data at rest | Yes | Use customer-managed encryption keys (CMEK) for continuous migrations |
| Dataflow | Pipeline state data | Yes | Using customer-managed encryption keys |
| Dataform | Data in repositories | Yes | Use customer-managed encryption keys |
| Dataplex Universal Catalog | Data at rest | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc clusters data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc | Dataproc serverless data on VM disks | Yes | Customer-managed encryption keys |
| Dataproc Metastore | Data at rest | Yes | Using customer-managed encryption keys |
| Datastream | Data in transit | Yes | Using customer-managed encryption keys (CMEK) |
| Dialogflow CX | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Document AI | Data at rest and data in use | Yes | Customer-managed encryption keys (CMEK) |
| Eventarc Advanced (Preview) | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Eventarc Standard | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Filestore | Data at rest | Yes | Encrypt data with customer-managed encryption keys |
| Firestore | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Gemini Code Assist | Data at rest | No | Encrypt data with customer-managed encryption keys |
| Gemini Enterprise - NotebookLM Enterprise | Data at rest | No | Customer-managed encryption keys |
| Gemini Enterprise Enterprise | Data at rest | No | Customer-managed encryption keys |
| Google Cloud Managed Lustre | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Google Cloud Managed Service for Apache Kafka | Data associated with topics | Yes | Configure message encryption |
| Google Cloud NetApp Volumes | Data at rest | Yes | Create a CMEK policy |
| Google Distributed Cloud | Data on Edge nodes | Yes | Local storage security |
| Google Kubernetes Engine | Data on VM disks | Yes | Using customer-managed encryption keys (CMEK) |
| Google Kubernetes Engine | Application-layer secrets | Yes | Application-layer Secrets encryption |
| Integration Connectors | Data at rest | Yes | Encryption methods |
| Looker (Google Cloud core) | Data at rest | Yes | Enable CMEK for Looker (Google Cloud core) |
| Memorystore for Redis | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Memorystore for Redis Cluster | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Memorystore for Valkey | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Migrate to Virtual Machines | Data migrated from VMware, AWS, and Azure VM sources | Yes | Use CMEK to encrypt data stored during a migration |
| Migrate to Virtual Machines | Data migrated from disk and machine image sources | Yes | Use CMEK to encrypt data on target disks and machine images |
| Parameter Manager | Parameter version payloads | Yes | Enable customer-managed encryption keys for Parameter Manager |
| Pub/Sub | Data associated with topics | Yes | Configuring message encryption |
| Secret Manager | Secret payloads | Yes | Enable Customer-Managed Encryption Keys for Secret Manager |
| Secure Source Manager | Instances | Yes | Encrypt data with customer-managed encryption keys |
| Security Command Center | Data at rest | Yes | Enable CMEK for Security Command Center |
| Spanner | Data at rest | Yes | Customer-managed encryption keys (CMEK) |
| Speaker ID (Restricted GA) | Data at rest | Yes | Using customer-managed encryption keys |
| Speech-to-Text | Data at rest | Yes | Using customer-managed encryption keys |
| Vertex AI | Data associated with resources | Yes | Using customer-managed encryption keys |
| Vertex AI Search | Data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench managed notebooks (Deprecated) | User data at rest | No | Customer-managed encryption keys |
| Vertex AI Workbench user-managed notebooks (Deprecated) | Data on VM disks | No | Customer-managed encryption keys |
| Vertex AI Workbench instances | Data on VM disks | Yes | Customer-managed encryption keys |
| Workflows | Data at rest | Yes | Use customer-managed encryption keys (CMEK) |
| Workload Manager | Custom rule type evaluation data | Yes | Enable customer-managed encryption keys for evaluations |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.