Use customer-managed encryption keys (CMEK)

By using customer-managed encryption keys (CMEK), you have control over yourkeys. This gives you control over their protection level, location, rotationschedule, usage and access permissions, and cryptographic boundaries. Instead ofGoogle owning and managing the symmetric key encryption keys (KEKs) that protectyour data, you control and manage these keys inCloud Key Management Service (KMS).

Note: You can use CMEK on new Memorystore for Redisdeployments only. You can't enable CMEK on existing Memorystore for Redisinstances. Also, for more information about CMEK for Memorystore for Redis, seeAbout customer-managed encryptionkeys (CMEK).

If your instance uses CMEK and theCloud Key Management Service APIis unavailable because of an outage, then when youreconnect to your instance, you might need to use adifferent IP address.

Before you begin

  1. Make sure that you have the Redis Adminroleon your user account.

    Go to the IAM page

Workflow to create an instance that uses CMEK

  1. Create akey ring andkeyin the location where you want the Memorystore for Redis instance to be.

  2. Copy or write down the key name (KEY_NAME), the location of the key, andthe name of the key ring (KEY_RING). You need this information whengranting the service account access to the key.

  3. Grant the Memorystore for Redis service account access to the key.

  4. Go to a project andcreate a Memorystore for Redis instance with CMEK enabledin the same region as the key ring and key.

Your Memorystore for Redis instance is now enabled with CMEK.

Create a key ring and key

Create akey ring andkey.Both must be in the same region as your Memorystore for Redis instance. The keycan be from a different project, as long as the key is in the same region. Also,the key must use thesymmetric encryption algorithm.

After you create the key ring and key, copy or write down theKEY_NAME, thekey location, and theKEY_RING. You need this information when you grant theservice account access to the key.

Grant the Memorystore for Redis service account access to the key

Before you can create a Memorystore for Redis instance that uses CMEK, you mustgrant a specific Memorystore for Redis service account access to the key. Youcan grant the service account access to the key by using the Google Cloud console ortheGoogle Cloud CLI.

To grant access to the service account, use the following format:

service-PROJECT_NUMBER@cloud-redis.iam.gserviceaccount.com

Console

You grant the service account access to the key as part of the steps forcreating a Memorystore for Redis instance that uses CMEK.

gcloud

To grant the service account access to the key, use thegcloud kms keys add-iam-policy-bindingcommand.

gcloud kms keys add-iam-policy-bindingKEY_NAME \--location=REGION_ID \--keyring=KEY_RING \--member=serviceAccount:service-PROJECT_NUMBER@cloud-redis.iam.gserviceaccount.com \--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Make the following replacements:

  • KEY_NAME: the name of the key that you're granting access to theservice account
  • REGION_ID: the region where the key ring is located
  • KEY_RING: the name of the key ring that contains the key
  • PROJECT_NUMBER: the ID or number of the project that contains theservice account

Create a Memorystore for Redis instance that uses CMEK

Note: You can't enable CMEK on existing instances. Also, this operation takesseveral minutes to complete.

You can create an instance that uses CMEK by using the Google Cloud console orthegcloud CLI.

Console

  1. Make sure that youcreate a key ring and keyin the same region where you want to create your instance.

  2. Follow the instructions atCreate a Redis instance on a VPC networkuntil you reach the step to enable CMEK. Then, return to these instructions.

  3. SelectUse a customer-managed encryption key (CMEK).

  4. To select your key, use the menu.

    Note: If you haven't granted the serviceaccount thepermissions thatit needs to access the key, then the following message appears:

    The service-PROJECT-NUMBER@cloud-redis.iam.gserviceaccount.com serviceaccount does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role.Verify the service account has permission to encrypt/decrypt with theselected key.

    If this occurs, then clickGrant to grant the permissions to theservice account.

  5. Select your remaining configurations for the instance, and then clickCreate.

gcloud

To create an instance that uses CMEK, use thegcloud redis instances createcommand.

gcloud redis instances createINSTANCE_ID \--size=SIZE \--region=REGION_ID \--customer-managed-key=projects/PROJECT_NAME/locations/REGION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME

Make the following replacements:

  • INSTANCE_ID: the ID of the instance that you're creating
  • SIZE: the size of the instance that you want to create, ingibibytes (GiB)
  • REGION_ID: the ID of the region where you want the instance to belocated
  • PROJECT_NAME: the name of the project where you want to createthe instance
  • KEY_RING: the name of the key ring that contains the key
  • KEY_NAME: the name of the key

View key information for a CMEK-enabled instance

You can view key information for a CMEK-enabled instance by using theGoogle Cloud console or thegcloud CLI. Thisinformation includes the active key and whether CMEK is enabled for yourinstance.

Console

  1. In the Google Cloud console, go to theInstances page.

    Memorystore for Redis

  2. Click the ID of your instance.

  3. In the left-hand pane, click theSecurity tab. TheSecurity pagecontains a link to the active key and shows the key reference path. If thisinformation doesn't appear, then you didn't enable CMEK for your instance.

gcloud

To verify if CMEK is enabled and to see the key reference, use thegcloud redis instances describe command to view thecustomerManagedKey field.

gcloud redis instances describeINSTANCE_ID \--project=PROJECT_NAME \--region=REGION_ID

Make the following replacements:

  • INSTANCE_ID: the ID of the instance about which you want to viewinformation
  • PROJECT_NAME: the name of the project that contains the instance
  • REGION_ID: the ID of the region where the instance is located

Manage key versions

For information about what happens when you disable, destroy, rotate, enable,and restore a key version, seeBehavior of a CMEK key version.

For instructions on how to disable and re-enable key versions, seeEnable and disable key versions.

For instructions on how to destroy and restore key versions, seeDestroy and restore key versions.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.