Introduction to encryption for Cloud Speech-to-Text

By default, Cloud Speech-to-Text encrypts customer content at rest. Cloud STT handles encryption for you without any additional actions on your part. This option is calledGoogle default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) inCloud KMS with CMEK-integrated services including Cloud STT. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also letsyou view audit logs and control key lifecycles. Instead of Google owning and managing the symmetrickey encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Cloud STT resources is similar to using Google default encryption. For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).

For information about the specific benefits of using CMEK with Cloud Speech-to-Textresources, seeUnderstand CMEK forCloud STT resources.

Understand CMEK for Cloud STT resources

The following conditions are true when a new key is set by using theSpeech-to-Text API:

  • Resources previously encrypted with the original key remain encrypted withthat earlier key. If a resource is updated (using anUpdate* method), itis re-encrypted with the new key.
  • Previously non-CMEK encrypted resources remain unencrypted. If a resource isupdated (using anUpdate* method), it is then re-encrypted with the newkey. For long-running operations (likebatch recognition), if processing is ongoing and not finished, thestored operation is re-encrypted with the new key.
  • Newly created resources are encrypted with the newly set key.

When you remove a key by using the Speech-to-Text API, new resources arecreated without CMEK encryption. Existing resources remain encrypted with thekeys with which they were previously encrypted. If a resource is updated (usinganUpdate* method), it is re-encrypted using the default encryption managed byGoogle. For long-running operations (likebatch recognition), if processing is ongoing and not finished, the storedoperation will be re-encrypted using the default encryption managed by Google.

The location of the Cloud KMS key used for encryptingCloud STT resources must match the Cloud STTendpoint used. For more information about Cloud STT locations, seeCloud STT locations. For more information aboutCloud KMS locations, seeCloud KMSlocations.

CMEK-supported resources

The following are current Cloud Speech-to-Text resources covered by CMEK:

ResourceMaterial encryptedDocumentation links
Recognizer
  • The language code in the recognition configuration.
  • Inline and reference adaptation resources.
PhraseSet
  • Phrases in the phrase set.
CustomClass
  • Class items in the custom class.
Operation
  • The original request that spawned the operation.
  • The response from the method that spawned the operation.
Batch recognition artifacts
  • Adaptation resources used during transcription.
  • The accumulated transcript results.
  • Audio artifacts required for transcription.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.