Encrypt data with customer-managed encryption keys

Note: Gemini Code Assist code customization is available only inGemini Code Assist Enterprise. For more information, seeGemini Code Assist supported features.

This document shows how to use customer-managed encryption keys (CMEK) toencrypt and control data-at-rest in a cloud service throughCloud Key Management Service. CMEK is integrated withcode customization forGemini Code Assist.Gemini Code Assist doesn't support the use ofCloud EKM keys.

In this document, you do the following:

  • Learn how to create a CMEK.
  • Grant permissions to the Gemini Code Assist service account.
  • Create a code repository index with a CMEK.
  • Remove access to a CMEK repository.

By default, Gemini for Google Cloud encrypts customer content at rest. Gemini handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Gemini. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyou view audit logs and control key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Gemini resources is similar to using Google default encryption. For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).

Before you begin

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

  2. In the development environment where you set up the gcloud CLI, run thegcloud components update commandto make sure that you have updated all installed components of thegcloud CLI to the latest version.

    gcloudcomponentsupdate

Create a CMEK and grant permissions

To create a CMEK and grant the Gemini Code Assist service accountpermissions on the key, perform the following tasks:

  1. In the Google Cloud project where you want to manage your keys, do thefollowing:

    1. Enable the Cloud Key Management Service API.

    2. Create thekey ring andkey directly inCloud KMS.

  2. Grant theCryptoKey Encrypter/Decrypter IAM role(roles/cloudkms.cryptoKeyEncrypterDecrypter) to theGemini Code Assist service account. Grant this permission onthe key that you created.

    Console

    1. Go toKey management.

      Go to Key management

    2. Select the key that you created.

    3. Grant access to the Gemini Code Assist service account:

      1. ClickAdd principal.
      2. Add the Gemini Code Assist service account. Theservice account isservice-PROJECT_NUMBER@gcp-sa-cloudaicompanions.iam.gserviceaccount.com,wherePROJECT_NUMBER is theproject numberof the Google Cloud project whereGemini Code Assist is enabled.
      3. InSelect a role, selectCloud KMS >Cloud KMS CryptoKey Encrypter/Decrypter.
      4. ClickSave.

    4. Repeat the previous step to grant access to the account that willcreate the code repository index with a CMEK.

    5. Return to theKey managementpage and select the key again.

    6. SelectShow info panel. You should see roles in theRole/Member column.

    gcloud CLI

    1. To grant access to the Gemini Code Assist serviceaccount, in a shell environment, use thekms keys add-iam-policy-bindingcommand:

      gcloud kms keys add-iam-policy-bindingKEY_NAME \    --project=PROJECT_ID \    --location=LOCATION \    --keyring=KEYRING_NAME \    --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com" \    --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"

      Replace the following:

      • KEY_NAME: the key name.
      • PROJECT_ID: the ID of the project that contains the key.
      • LOCATION: the key location.
      • KEYRING_NAME: the key ring name.
      • PROJECT_NUMBER: theproject numberof the Google Cloud project withGemini Code Assist enabled.

    2. Repeat the previous step to grant access to the account that willcreate the code repository index with a CMEK.

    For more information about this command, see thegcloud kms keys add-iam-policy-binding documentation.

You can nowcreate a code repository index with a CMEKusing the API, and specify the key to use for encryption.

Create a code repository index with a CMEK

To create a new repository that has CMEK protection, do one of the following:

gcloud CLI

Use thegemini code-repository-indexes create command:

gcloud gemini code-repository-indexes createCODE_REPOSITORY_INDEX_NAME \    --location=LOCATION \    --kms-key="projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME"

Replace the following:

  • CODE_REPOSITORY_INDEX_NAME: the name of the new code repositoryindex that you'll create.
  • LOCATION: the key location.
  • KEY_PROJECT_ID: the key project ID.
  • KEYRING_NAME: the key ring name.
  • KEY_NAME: the key name.

API

  1. Create a JSON file that contains the following information:

      {    "kmsKey": "projects/KEY_PROJECT_ID/locations/KEY_LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME"  }

    Replace the following:

    • KEY_PROJECT_ID: the key project ID
    • KEY_LOCATION: the key location
    • KEYRING_NAME: the key ring name
    • KEY_NAME: the key name

  2. Use acURL command to call theprojects.locations.codeRepositoryIndexes.create method:

    curl -X POST --data-binary @JSON_FILE_NAME \    -H "Authorization: Bearer $(gcloud auth print-access-token)" \    -H "Content-Type: application/json" \    "https://cloudaicompanion.googleapis.com/v1/projects/PROJECT_ID/locations/KEY_LOCATION/codeRepositoryIndexes?codeRepositoryIndexId=CODE_REPOSITORY_INDEX_NAME"

    Replace the following:

    • JSON_FILE_NAME: the path for theJSON file that you created in the preceding step.
    • PROJECT_ID: the ID of the project to createthe repository in.
    • KEY_LOCATION: the location to create therepository in, which must match the location where the CMEK exists.
    • CODE_REPOSITORY_INDEX_NAME: the name of thenew code repository index that you'll create. For example,zg-btf-0001.

The response returns a set of log entries.

Remove access to a CMEK repository

Warning: If you disable the CMEK, Google Cloud removes the instance andthe service will no longer be available, even if you re-enable the key.

There are several ways to remove access to a CMEK-encrypted repository:

We recommend that you revoke the permissions from theGemini Code Assist service account before disabling or destroyinga key. Changes to permissions are consistent within seconds, so you can observethe impacts of disabling or destroying a key.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.