Agent Assist Data at rest Yes Customer-managed encryption keys (CMEK) AlloyDB for PostgreSQL Data written to databases Yes Using customer-managed encryption keys Anti Money Laundering AI Data in AML AI instance resources No Encrypt data using customer-managed encryption keys (CMEK) Apigee Data at rest No Introduction to CMEK Apigee API hub Data at rest Yes Encryption Application Integration Data at rest Yes Using customer-managed encryption keys Artifact Registry Data in repositories Yes Enabling customer-managed encryption keys Backup and DR Service Backup Vault Container Yes Managing Backup Vault encryption Backup and DR Service Backups at rest Yes Managing backup encryption Backup for GKE Data in Backup for GKE Yes About Backup for GKE CMEK encryption BigQuery Data in BigQuery Yes Protecting data with Cloud KMS keys Bigtable Data at rest Yes Customer-managed encryption keys (CMEK) Cloud Composer Environment data Yes Using customer-managed encryption keys Cloud Data Fusion Environment data Yes Using customer-managed encryption keys Cloud Healthcare API Cloud Healthcare API datasets Yes Use customer-managed encryption keys (CMEK) Cloud Logging Data in the Log Router Yes Manage the keys that protect Log Router data Cloud Logging Data in Logging storage Yes Manage the keys that protect Logging storage data Cloud Run Container image Yes Using customer-managed encryption keys with Cloud Run Cloud Run functions Data in Cloud Run functions Yes Using customer-managed encryption keys Cloud SQL Data written to databases Yes Using customer-managed encryption keys Cloud Storage Data in storage buckets Yes Using customer-managed encryption keys Cloud Tasks Task body and header at rest Yes Use customer-managed encryption keys Cloud TPU Persistent disks No Encrypt a TPU VM boot disk with a customer-managed encryption key (CMEK) Cloud Workstations Data on VM disks Yes Encrypt workstation resources Colab Enterprise Runtimes and notebook files No Use customer-managed encryption keys Compute Engine Persistent disks Yes Protecting resources with Cloud KMS keys Compute Engine Snapshots Yes Protecting resources with Cloud KMS keys Compute Engine Custom images Yes Protecting resources with Cloud KMS keys Compute Engine Machine images Yes Protecting resources with Cloud KMS keys Customer Experience Insights Data at rest Yes Customer-managed encryption keys (CMEK) Database Migration Service Homogeneous Migrations MySQL migrations - data written to databases Yes Using customer-managed encryption keys (CMEK) Database Migration Service Homogeneous Migrations PostgreSQL migrations - Data written to databases Yes Using customer-managed encryption keys (CMEK) Database Migration Service Homogeneous Migrations PostgreSQL to AlloyDB migrations - Data written to databases Yes About CMEK Database Migration Service Homogeneous Migrations SQL Server migrations - Data written to databases Yes About CMEK Database Migration Service Heterogeneous Migrations Oracle to PostgreSQL data at rest Yes Use customer-managed encryption keys (CMEK) for continuous migrations Dataflow Pipeline state data Yes Using customer-managed encryption keys Dataform Data in repositories Yes Use customer-managed encryption keys Dataplex Universal Catalog Data at rest Yes Customer-managed encryption keys Dataproc Dataproc clusters data on VM disks Yes Customer-managed encryption keys Dataproc Dataproc serverless data on VM disks Yes Customer-managed encryption keys Dataproc Metastore Data at rest Yes Using customer-managed encryption keys Datastream Data in transit Yes Using customer-managed encryption keys (CMEK) Dialogflow CX Data at rest Yes Customer-managed encryption keys (CMEK) Document AI Data at rest and data in use Yes Customer-managed encryption keys (CMEK) Eventarc Advanced (Preview) Data at rest Yes Use customer-managed encryption keys (CMEK) Eventarc Standard Data at rest Yes Use customer-managed encryption keys (CMEK) Filestore Data at rest Yes Encrypt data with customer-managed encryption keys Firestore Data at rest Yes Use customer-managed encryption keys (CMEK) Gemini Code Assist Data at rest No Encrypt data with customer-managed encryption keys Gemini Enterprise - NotebookLM Enterprise Data at rest No Customer-managed encryption keys Gemini Enterprise Enterprise Data at rest No Customer-managed encryption keys Google Cloud Managed Lustre Data at rest Yes Use customer-managed encryption keys (CMEK) Google Cloud Managed Service for Apache Kafka Data associated with topics Yes Configure message encryption Google Cloud NetApp Volumes Data at rest Yes Create a CMEK policy Google Distributed Cloud Data on Edge nodes Yes Local storage security Google Kubernetes Engine Data on VM disks Yes Using customer-managed encryption keys (CMEK) Google Kubernetes Engine Application-layer secrets Yes Application-layer Secrets encryption Integration Connectors Data at rest Yes Encryption methods Looker (Google Cloud core) Data at rest Yes Enable CMEK for Looker (Google Cloud core) Memorystore for Redis Data at rest Yes Customer-managed encryption keys (CMEK) Memorystore for Redis Cluster Data at rest Yes Use customer-managed encryption keys (CMEK) Memorystore for Valkey Data at rest Yes Use customer-managed encryption keys (CMEK) Migrate to Virtual Machines Data migrated from VMware, AWS, and Azure VM sources Yes Use CMEK to encrypt data stored during a migration Migrate to Virtual Machines Data migrated from disk and machine image sources Yes Use CMEK to encrypt data on target disks and machine images Parameter Manager Parameter version payloads Yes Enable customer-managed encryption keys for Parameter Manager Pub/Sub Data associated with topics Yes Configuring message encryption Secret Manager Secret payloads Yes Enable Customer-Managed Encryption Keys for Secret Manager Secure Source Manager Instances Yes Encrypt data with customer-managed encryption keys Security Command Center Data at rest Yes Enable CMEK for Security Command Center Spanner Data at rest Yes Customer-managed encryption keys (CMEK) Speaker ID (Restricted GA) Data at rest Yes Using customer-managed encryption keys Speech-to-Text Data at rest Yes Using customer-managed encryption keys Vertex AI Data associated with resources Yes Using customer-managed encryption keys Vertex AI Search Data at rest No Customer-managed encryption keys Vertex AI Workbench managed notebooks (Deprecated) User data at rest No Customer-managed encryption keys Vertex AI Workbench user-managed notebooks (Deprecated) Data on VM disks No Customer-managed encryption keys Vertex AI Workbench instances Data on VM disks Yes Customer-managed encryption keys Workflows Data at rest Yes Use customer-managed encryption keys (CMEK) Workload Manager Custom rule type evaluation data Yes Enable customer-managed encryption keys for evaluations