Customer-managed encryption keys (CMEK)

By default, Vertex AI encrypts customer content at rest. Vertex AI handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Vertex AI. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyoutrack key usage, view audit logs, andcontrol key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Vertex AI resources is similar to using Google default encryption. For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).

This guide describes some benefits of using CMEK for Vertex AI resourcesand walks through how to configure a training job to use CMEK.

For more information about how to use CMEK for Colab Enterprise, seetheColab Enterprise CMEK page. For moreinformation about how to use CMEK for Vertex AI Workbench instances, seetheVertex AI Workbench instancesCMEK page.

CMEK for Vertex AI resources

The following sections describe basic information about CMEK forVertex AI resources that you must understand before configuring CMEK foryour jobs.

Benefits of CMEK

In general, CMEK is most useful if you need full control over the keys used toencrypt your data. With CMEK, you can manage your keys withinCloud KMS. For example, you can rotate or disable a key or you can setup a rotation schedule using the Cloud KMS API. For more information aboutCMEK in general, including when and why to enable it, see theCloud KMS documentation.

When you run anAutoML orcustomtrainingjob, your code runs on one or more virtual machine (VM) instances managed byVertex AI.When you enableCMEK for Vertex AI resources, the key that you designate, rather than akey managed by Google, is used to encrypt data on the boot disks of these VMs.The CMEK key encrypts the following kinds of data:

  • The copy of your code on the VMs.
  • Any data that gets loaded by your code.
  • Any temporary data that gets saved to the local disk by your code.
  • Automl-trained models.
  • Media files (data) uploaded into media datasets.

In general, the CMEK key doesnot encrypt metadata associated with youroperation, like the job's name and region, or a dataset's display name.Metadata associated with operations is alwaysencrypted using Google's default encryption mechanism.

Fordatasets, when a user imports data into dataset, the data items andannotations are CMEK-encrypted. The dataset display name is not CMEK-encrypted.

Formodels, the models stored in the storage system (for example, disk) areCMEK-encrypted. All the model evaluation results are CMEK-encrypted.

Forendpoints, all model files used for the model deployment under theendpoint are CMEK-encrypted. This does not include any in-memory data.

Forbatch prediction, any temporary files (such as model files, logs, VMdisks) used to execute the batch prediction job are CMEK-encrypted. Batchprediction results are stored in the user provided destination.Consequently, Vertex AI respects the default value of thedestination's encryption config. Otherwise, results will also be encrypted withCMEK.

Fordata labeling, any input files (image, text, tabular), temporarydiscussion (for example, questions, feedback) and output (labeling result)are CMEK-encrypted. The annotation spec display names are not CMEK-encrypted.

Foragents, CMEK encrypts all source files used for agent development.Additionally, container images and deployed instances for the agent are alsoCMEK-encrypted.

External keys

You can useCloud External Key Manager (Cloud EKM) to create external keys, that you manage,to encrypt data within Google Cloud.

When you use a Cloud EKM key, Google has no control over theavailability of your externally-managed key. If you request access to aresource encrypted with an externally-managed key, and the key is unavailable,then Vertex AI will reject the request. There can be a delay of up to10 minutes before you can access the resourceonce the key becomes available.

For more considerations when using external keys, seeCloud External Key Manager.

Use CMEK with other Google Cloud products

Configuring CMEK for Vertex AI resources doesnot automaticallyconfigure CMEK for other Google Cloud products that you use together withVertex AI. To use CMEK to encrypt data in otherGoogle Cloud products, additional configuration is required. For example:

Current CMEK-supported resources

The current Vertex AI resources covered by CMEK are as follows. CMEKsupport for Preview features is in Preview status as well.

ResourceMaterial encryptedDocumentation links
Dataset
  • All user imported data (for example, text content) forDataItems andAnnotations.
  • User created content such asAnnotationSpecs,ColumnSpecs.
Model
  • Uploaded model files.
  • Evaluation results of the trained model.
Endpoint
  • All model files used for the model deployment under the endpoint. This doesnot include any in-memory data, but the model will be auto-undeployed if the key is disabled.
CustomJob
  • The copy of your code on the VMs used to run the operation.
  • Any data that gets loaded by your code.
  • Any temporary data that gets saved to the local disk by your code.
HyperparameterTuningJob
  • The copy of your code on the VMs used to run the operation.
  • Any data that gets loaded by your code.
  • Any temporary data that gets saved to the local disk by your code.
TrainingPipeline
  • The copy of your code on the VMs used to run the operation.
  • Any data that gets loaded by your code.
  • Any temporary data that gets saved to the local disk by your code.
  • AutoML-trained models.
BatchPredictionJob (excludes AutoML image batchPrediction)
  • Any temporary files (for example, model files, logs, VM disks) used in the job to proceed the batch prediction job.
  • If the written results of the BatchPrediction are stored in the user provided destination, it will respect the encryption config of its default value. Otherwise, it will also be encrypted with CMEK.
ModelDeploymentMonitoringJob
  • Any temporary files (for example, training dataset files, logs, VM disks) used in the job to process the model deployment monitoring job.
  • Any data used for detection monitoring anomalies.
  • If the key is disabled, the model deployment monitoring job will be paused.
PipelineJob
  • The pipeline job and all of its sub-resources.
MetadataStore
  • All content in the metadata store.
TensorBoard
  • All data from the uploaded TensorBoard logs including scalars, histograms, graph defs, images, and text.
Featurestore
  • The featurestore and all content in the featurestore.
Index
  • All data files used for Vector Search indexes stored in Cloud Storage, Pub/Sub, and internal storage. Index and IndexEndpoint must be created with the same key.
IndexEndpoint
  • All data files used for Vector Search indexes stored in Cloud Storage, Pub/Sub, and internal storage. Index and IndexEndpoint must be created with the same key.
Colab Enterprise runtime
  • The boot disk and data disks of the runtime's VM
Colab Enterprise notebook
  • The notebook file and its comments
Vertex AI Agent Engine
  • The copy of your agent source files, including code, scripts, and any dependency files
  • The container images built from your agent source files
  • The running instances deployed from your agent container images

CMEK support for Generative AI tuning pipelines

CMEK support is provided in the tuning pipeline of the following models:

  • BERT
  • T5
  • image-generation (GPU)

Limitations

CMEK support isn't provided in the following:

  • AutoML image model batch prediction (BatchPredictionJob)
  • TPU tuning

Configure CMEK for your resources

The following sections describe how to create a key ring and key in Cloud Key Management Service,grant Vertex AI encrypter and decrypter permissions for yourkey, and create resources that use CMEK.

Before you begin

This guide assumes that you use two separate Google Cloud projects toconfigure CMEK for Vertex AI data:

  • A project for managing your encryption key (referred to as the"Cloud KMS project").
  • A project for accessing Vertex AI data or output inCloud Storage, and interacting with any other Google Cloudproducts that you need for your use case (referred to as the"AI Platform project").

This recommended setup supports aseparation ofduties.

Alternatively, you can use a single Google Cloud project for the wholeguide. To do so, use the same project for all of the following tasks that referto the Cloud KMS project and the tasks that refer to theAI Platform project.

Set up the Cloud KMS project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Cloud KMS API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Cloud KMS API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

Set up the AI Platform project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Vertex AI API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Vertex AI API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

Set up the Google Cloud CLI

The gcloud CLI is required for some steps in this guide and optionalfor others.

Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

gcloudinit

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Note: You can run the gcloud CLI in the Google Cloud console without installing the Google Cloud CLI. To run the gcloud CLI in the Google Cloud console,use Cloud Shell.

Create a key ring and key

Follow theCloud KMS guide to creating symmetrickeys to create a key ring and a key. When you createyour key ring, specifya region that supportsVertex AI operations asthe key ring's location. Vertex AI trainingonly supportsCMEK when your resource and key use the same region. You must not specify adual-regional, multi-regional, or global location for your key ring.

Make sure to create your key ring and key in your Cloud KMS project.

Grant Vertex AI permissions

To use CMEK for your resources, you must grant Vertex AI permission toencrypt and decrypt data using your key. Vertex AI uses aGoogle-managed service agent to runoperations using your resources. This service account is identified by an emailaddress with the following format:

service-PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com

To find the appropriate service account for your AI Platform project, goto theIAM page in the Google Cloud console and find the member that matchesthis email address format, with theprojectnumber foryour AI Platform project replacing theAI_PLATFORM_PROJECT_NUMBER variable. The service account also has thenameVertex AI Service Agent.

Go to the IAMpage

Make note of the email address for this service account, and use it in thefollowing steps to grant it permission to encrypt and decrypt data using yourkey. You can grant permission by using the Google Cloud console or by using theGoogle Cloud CLI:

Google Cloud console

  1. In the Google Cloud console,Click Security and selectKey Management. This will take you toCryptographic Keys page andselect your Cloud KMS project.

    Go to the Cryptographic Keyspage

  2. Click on the name of the key ring that you created ina preceding sectionof this guide to go to theKey ringdetails page.

  3. Select the checkbox for the key that you created ina preceding section ofthis guide. If an info panel labeled with thename of your key is not already open, clickShow info panel.

  4. In the info panel, clickperson_addAdd member to open theAdd membersto "KEY_NAME" dialog. In this dialog, do the following:

    1. In theNew members box, enter the service account email address thatyou made a note of in the preceding section:service-AI_PLATFORM_PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com

    2. In theSelect a role drop-down list, clickCloud KMSand then select theCloud KMS CryptoKey Encrypter/Decrypterrole.

    3. ClickSave.

gcloud

Run the following command:

gcloudkmskeysadd-iam-policy-bindingKEY_NAME\--keyring=KEY_RING_NAME\--location=REGION\--project=KMS_PROJECT_ID\--member=serviceAccount:service-AI_PLATFORM_PROJECT_NUMBER@gcp-sa-aiplatform.iam.gserviceaccount.com\--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

In this command, replace the following placeholders:

  • KEY_NAME: The name of the key that you created ina precedingsection of this guide.
  • KEY_RING_NAME: The key ring that you created ina precedingsection of this guide.
  • REGION: The region where you created your key ring.
  • KMS_PROJECT_ID: The ID of your Cloud KMS project.
  • AI_PLATFORM_PROJECT_NUMBER: The project number of yourAI Platform project, which you noted in the preceding section as partof a service account email address.

Create resources with the KMS key

When you create a newCMEK-supported resource you can specifyyour key as one of the create parameters.

Console

When you create a newCMEK-supported resource in theVertex AI section of theGoogle Cloud console, you canselect your key in the general or advanced option section:

Select encryption key for resource section

REST & CMD Line

When you create asupported resource, add anencryptionSpec object to your request and set theencryptionSpec.kmsKeyName field to point to your keyresource.

For example, whencreating adataset resource you wouldspecify your key in the request body:

 {   "displayName":DATASET_NAME,   "metadataSchemaUri":METADATA_URI,   "encryptionSpec": {     "kmsKeyName": "projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME"   } }

Java

When you create a supported resource, set theEncryptionSpec topoint to your key resource. See theVertex AI client library for Java documentation for more information.

Node.js

When you create a supported resource, set theencryptionSpec parameter topoint to your key resource. See theVertex AI client library for Node.js documentation for more information.

Python

When you create a supported resource, set theencryption_spec parameter topoint to your key resource. See thePython Client for Cloud AI Platform documentation for more information.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.