Use customer-managed encryption keys (CMEK)
By using customer-managed encryption keys (CMEK), you have control over yourkeys. This gives you control over their protection level, location, rotationschedule, usage and access permissions, and cryptographic boundaries. Instead ofGoogle owning and managing the symmetric key encryption keys (KEKs) that protectyour data, you control and manage these keys inCloud Key Management Service (KMS).
Note: You can use CMEK on new Memorystore for Valkey deployments only. You can'tenable CMEK on existing Memorystore for Valkey instances. Also, for moreinformation about CMEK for Memorystore for Valkey, seeAbout customer-managed encryption keys (CMEK).Before you begin
Make sure that you have the Memorystore Adminrole on your user account.
Workflow to create an instance that uses CMEK
Create akey ring andkeyin the location where you want the Memorystore for Valkey instance to be.
Copy or write down the key name (
KEY_NAME), the location of the key, andthe name of the key ring (KEY_RING). You need this information whengranting the service account access to the key.Grant the Memorystore for Valkey service account access to the key.
Go to a project andcreate a Memorystore for Valkey instance with CMEK enabled in the same region as the key ring and key.
Your Memorystore for Valkey instance is now enabled with CMEK.
Create a key ring and key
Create akey ring andkey.Both must be in the same region as your Memorystore for Valkey instance. The keycan be from a different project, as long as the key is in the same region. Also,the key must use thesymmetric encryption algorithm.
After you create the key ring and key, copy or write down theKEY_NAME, thekey location, and theKEY_RING. You need this information when you grant theservice account access to the key.
Grant the Memorystore for Valkey service account access to the key
Before you can create a Memorystore for Valkey instance that uses CMEK, you mustgrant a specific Memorystore for Valkey service account access to the key.
You can grant the service account access to the key by using thegcloud CLI. To grant access to the service account,use the following format:
service-PROJECT_NUMBER@gcp-sa-memorystore.iam.gserviceaccount.com
gcloud
To grant the service account access to the key, use thegcloud kms keys add-iam-policy-bindingcommand.
gcloud kms keys add-iam-policy-binding \projects/PROJECT_ID/locations/REGION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME \--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-memorystore.iam.gserviceaccount.com \--role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Make the following replacements:
- PROJECT_ID: the ID or number of the project that contains the keyring
- REGION_ID: the region where the key ring is located
- KEY_RING: the name of the key ring that contains the key
- KEY_NAME: the name of the key that you're granting access to theservice account
- PROJECT_NUMBER: the ID or number of the project that contains theservice account
Create a Memorystore for Valkey instance that uses CMEK
You can create an instance that uses CMEK by using thegcloud CLI.
Note: You can't enable CMEK on existing instances. Also, this operation takesseveral minutes to complete.gcloud
To create an instance that uses CMEK, use thegcloud memorystore instances create command.
gcloud memorystore instances createINSTANCE_ID \--project=PROJECT_NAME \--location=REGION_ID \--endpoints='[{"connections": [{"pscAutoConnection": {"network": "projects/PROJECT_NAME/global/networks/NETWORK_ID", "projectId": "PROJECT_NAME"}}]}]' \--kms-key=projects/PROJECT_NAME/locations/REGION_ID/keyRings/KEY_RING/cryptoKeys/KEY_NAME \--shard-count=SHARD_NUMBER \--persistence-config-mode=PERSISTENCE_CONFIG_MODEMake the following replacements:
- INSTANCE_ID: the ID of the instance that you're creating.
- PROJECT_NAME: the name of the project where you want to createthe instance.
- REGION_ID: the ID of the region where you want the instance to belocated.
- NETWORK_ID: the ID of the network that you want to use to createthe instance.
- KEY_RING: the name of the key ring that contains the key.
- KEY_NAME: the name of the key.
- SHARD_NUMBER: the number of shards that you want to have for theinstance.
- PERSISTENCE_CONFIG_MODE: the persistence mode for the instance.You can set this mode to one of the following values:
aof: you enable Append-Only File (AOF)-based persistencefor the instance.disabled: you deactivate persistence for the instance.rdb: you enable Redis Database (RDB)-based persistence forthe instance.
View key information for a CMEK-enabled instance
You can view information about your CMEK-enabled instance by using thegcloud CLI. This information includes whether CMEK isenabled for your instance and the active key.
gcloud
To verify if CMEK is enabled and to see the key reference, use thegcloud memorystore instances describecommand to view theencryptionInfo andkmsKey fields.
gcloud memorystore instances describeINSTANCE_ID \--project=PROJECT_NAME \--location=REGION_ID
Make the following replacements:
- INSTANCE_ID: the ID of the instance about which you want to viewinformation
- PROJECT_NAME: the name of the project that contains the instance
- REGION_ID: the ID of the region where the instance is located
Manage key versions
For information about what happens when you disable, destroy, rotate, enable,and restore a key version, seeBehavior of a CMEK key version.
For instructions on how to disable and re-enable key versions, seeEnable anddisable key versions.
For instructions on how to destroy and restore key versions, seeDestroy andrestore key versions.
What's next
- Learn more aboutbackups.
- Learn more aboutpersistence.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.