Customer-Managed Encryption Keys (CMEK)

Customer-Managed Encryption Keys (CMEK) allow organisations to protect their Gemini Enterprise data at rest using keys they control in Cloud KMS. This provides oversight of key rotation, access permissions, and audit logs, offering a higher level of security than default Google-managed encryption.

This feature is intended for organisations with stringent regulatory or compliance needs regarding data encryption. It is available for Gemini Enterprise Standard and Plus editions, providing advanced security controls for agentic workflows and data stores.

To set up CMEK, create a symmetric key in Cloud KMS and grant the necessary IAM roles to the Discovery Engine service agent. Then, register the key in the Gemini Enterprise settings within the Google Cloud console to protect new data stores and apps.