Encrypt data with customer-managed encryption keys
Stay organized with collectionsSave and categorize content based on your preferences.
This document shows how to use customer-managed encryption keys (CMEK) to
encrypt and control data-at-rest in a cloud service throughCloud Key Management Service. CMEK is integrated withcode customizationfor
Gemini Code Assist.
Gemini Code Assist doesn't support the use ofCloud EKMkeys.
In this document, you do the following:
Learn how to create a CMEK.
Grant permissions to the Gemini Code Assist service account.
Create a code repository index with a CMEK.
Remove access to a CMEK repository.
By default, Gemini for Google Cloudencrypts customer content at
rest.
Gemini handles encryption for you without any additional actions
on your part. This option is calledGoogle default encryption.
After you set up your resources with CMEKs, the experience of accessing your
Gemini resources is similar to using Google default encryption.
For more information about your encryption options, seeCustomer-managed encryption keys (CMEK).
Before you begin
In one of the following development environments, set up the gcloud CLI:
In the development environment where you set up the gcloud CLI, run thegcloud components updatecommandto make sure that you have updated all installed components of thegcloudto the latest version.
gcloudcomponentsupdate
Create a CMEK and grant permissions
To create a CMEK and grant the Gemini Code Assist service account
permissions on the key, perform the following tasks:
In the Google Cloud project where you want to manage your keys, do the
following:
Grant theCryptoKey Encrypter/Decrypter IAM role(roles/cloudkms.cryptoKeyEncrypterDecrypter) to the
Gemini Code Assist service account. Grant this permission on
the key that you created.
Grant access to the Gemini Code Assist service account:
ClickAdd principal.
Add the Gemini Code Assist service account. The
service account isservice-PROJECT_NUMBER@gcp-sa-cloudaicompanions.,
wherePROJECT_NUMBERis theproject numberof the Google Cloud project where
Gemini Code Assist is enabled.
InSelect a role, selectCloud KMS>Cloud KMS CryptoKey Encrypter/Decrypter.
ClickSave.
Repeat the previous step to grant access to the account that will
create the code repository index with a CMEK.
Return to theKey managementpage and select the key again.
SelectShow info panel. You should see roles in theRole/Membercolumn.
We recommend that you revoke the permissions from the
Gemini Code Assist service account before disabling or destroying
a key. Changes to permissions are consistent within seconds, so you can observe
the impacts of disabling or destroying a key.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-05 UTC."],[],[],null,["| **Note:** Gemini Code Assist code customization is available only in Gemini Code Assist Enterprise. For more information, see [Gemini Code Assist supported features](/gemini-code-assist/docs/overview#supported-features).\n\nThis document shows how to use customer-managed encryption keys (CMEK) to\nencrypt and control data-at-rest in a cloud service through\n[Cloud Key Management Service](https://cloud.google.com/kms/docs). CMEK is integrated with\n\n[code customization](/gemini-code-assist/docs/code-customization-overview) for\nGemini Code Assist.\nGemini Code Assist doesn't support the use of\n[Cloud EKM](https://cloud.google.com/kms/docs/ekm) keys.\n\nIn this document, you do the following:\n\n- Learn how to create a CMEK.\n- Grant permissions to the Gemini Code Assist service account.\n- Create a code repository index with a CMEK.\n- Remove access to a CMEK repository.\n\nBy default, Gemini for Google Cloud [encrypts customer content at\nrest](https://cloud.google.com/docs/security/encryption/default-encryption).\nGemini handles encryption for you without any additional actions\non your part. This option is called *Google default encryption*.\n\nAfter you set up your resources with CMEKs, the experience of accessing your\nGemini resources is similar to using Google default encryption.\nFor more information about your encryption options, see\n[Customer-managed encryption keys (CMEK)](https://cloud.google.com/kms/docs/cmek).\n\nBefore you begin\n\n1. In one of the following development environments, set up the gcloud CLI:\n\n - **Cloud Shell** : to use an online terminal with the gcloud CLI\n already set up, [launch the Cloud Shell editor](https://ide.cloud.google.com).\n\n - **Local shell** : to use a local development environment,\n [install](https://cloud.google.com/sdk/docs/install) and\n [initialize](https://cloud.google.com/sdk/docs/initializing) the gcloud CLI.\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](https://cloud.google.com/iam/docs/workforce-log-in-gcloud).\n2. In the development environment where you set up the gcloud CLI, run the\n [`gcloud components update` command](https://cloud.google.com/sdk/gcloud/reference/components/update)\n to make sure that you have updated all installed components of the\n [gcloud](https://cloud.google.com/sdk/gcloud) to the latest version.\n\n gcloud components update\n\nCreate a CMEK and grant permissions\n\nTo create a CMEK and grant the Gemini Code Assist service account\npermissions on the key, perform the following tasks:\n\n1. In the Google Cloud project where you want to manage your keys, do the\n following:\n\n 1. [Enable the Cloud Key Management Service API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com&redirect=https://console.cloud.google.com).\n\n 2. Create the [key ring](https://cloud.google.com/kms/docs/create-key-ring) and\n [key](https://cloud.google.com/kms/docs/create-key) directly in\n Cloud KMS.\n\n2. Grant the [CryptoKey Encrypter/Decrypter IAM role](https://cloud.google.com/iam/docs/roles-permissions/cloudkms#cloudkms.cryptoKeyEncrypterDecrypter)\n (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) to the\n Gemini Code Assist service account. Grant this permission on\n the key that you created.\n\n Console\n 1. Go to **Key management**.\n\n [Go to Key management](https://console.cloud.google.com/security/kms)\n 2. Select the key that you created.\n\n 3. Grant access to the Gemini Code Assist service account:\n\n 1. Click **Add principal**.\n 2. Add the Gemini Code Assist service account. The service account is `service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@gcp-sa-cloudaicompanions.`, where \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e is the [project number](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects) of the Google Cloud project where Gemini Code Assist is enabled.\n 3. In **Select a role** , select **Cloud KMS** \\\u003e **Cloud KMS CryptoKey Encrypter/Decrypter**.\n 4. Click **Save**.\n 4. Repeat the previous step to grant access to the account that will\n create the code repository index with a CMEK.\n\n 5. Return to the **[Key management](https://console.cloud.google.com/security/kms)**\n page and select the key again.\n\n 6. Select **Show info panel** . You should see roles in the\n **Role/Member** column.\n\n gcloud\n 1. To grant access to the Gemini Code Assist service\n account, in a shell environment, use the\n [`kms keys add-iam-policy-binding`command](https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding):\n\n gcloud kms keys add-iam-policy-binding \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --keyring=\u003cvar translate=\"no\"\u003eKEYRING_NAME\u003c/var\u003e \\\n --member=\"serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e@gcp-sa-cloudaicompanion.\" \\\n --role=\"roles/cloudkms.cryptoKeyEncrypterDecrypter\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the key name.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that contains the key.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the key location.\n - \u003cvar translate=\"no\"\u003eKEYRING_NAME\u003c/var\u003e: the key ring name.\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e: the [project number](/resource-manager/docs/creating-managing-projects#identifying_projects) of the Google Cloud project with Gemini Code Assist enabled.\n 2. Repeat the previous step to grant access to the account that will\n create the code repository index with a CMEK.\n\n For more information about this command, see the\n [`gcloud kms keys add-iam-policy-binding` documentation](https://cloud.google.com/sdk/gcloud/reference/kms/keys/add-iam-policy-binding).\n\nYou can now\n[create a code repository index with a CMEK](#create_a_code_repository_index_with_a_cmek)\nusing the API, and specify the key to use for encryption.\n\nCreate a code repository index with a CMEK\n\nTo create a new repository that has CMEK protection, do one of the following: \n\ngcloud\n\nUse the [`gemini code-repository-indexes create` command](https://cloud.google.com/sdk/gcloud/reference/gemini/code-repository-indexes/create): \n\n gcloud gemini code-repository-indexes create \u003cvar translate=\"no\"\u003eCODE_REPOSITORY_INDEX_NAME\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --kms-key=\"projects/\u003cvar translate=\"no\"\u003eKEY_PROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/keyRings/\u003cvar translate=\"no\"\u003eKEYRING_NAME\u003c/var\u003e/cryptoKeys/\u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eCODE_REPOSITORY_INDEX_NAME\u003c/var\u003e: the name of the new code repository index that you'll create.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the key location.\n- \u003cvar translate=\"no\"\u003eKEY_PROJECT_ID\u003c/var\u003e: the key project ID.\n- \u003cvar translate=\"no\"\u003eKEYRING_NAME\u003c/var\u003e: the key ring name.\n- \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the key name.\n\nAPI\n\n1. Create a JSON file that contains the following information:\n\n ```\n {\n \"kmsKey\": \"projects/KEY_PROJECT_ID/locations/KEY_LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME\"\n }\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKEY_PROJECT_ID\u003c/var\u003e: the key project ID\n - \u003cvar translate=\"no\"\u003eKEY_LOCATION\u003c/var\u003e: the key location\n - \u003cvar translate=\"no\"\u003eKEYRING_NAME\u003c/var\u003e: the key ring name\n - \u003cvar translate=\"no\"\u003eKEY_NAME\u003c/var\u003e: the key name\n2. Use a [`cURL`](http://curl.haxx.se/) command to call the\n [`projects.locations.codeRepositoryIndexes.create` method](https://cloud.google.com/gemini/docs/api/reference/rest/v1/projects.locations.codeRepositoryIndexes/create):\n\n ```\n curl -X POST --data-binary @JSON_FILE_NAME \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json\" \\\n \"https://cloudaicompanion.googleapis.com/v1/projects/PROJECT_ID/locations/KEY_LOCATION/codeRepositoryIndexes?codeRepositoryIndexId=CODE_REPOSITORY_INDEX_NAME\"\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eJSON_FILE_NAME\u003c/var\u003e: the path for the JSON file that you created in the preceding step.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project to create the repository in.\n - \u003cvar translate=\"no\"\u003eKEY_LOCATION\u003c/var\u003e: the location to create the repository in, which must match the location where the CMEK exists.\n - \u003cvar translate=\"no\"\u003eCODE_REPOSITORY_INDEX_NAME\u003c/var\u003e: the name of the new code repository index that you'll create. For example, `zg-btf-0001`.\n\nThe response returns a set of log entries.\n\nRemove access to a CMEK repository **Warning:** If you disable the CMEK, Google Cloud removes the instance and the service will no longer be available, even if you re-enable the key.\n\nThere are several ways to remove access to a CMEK-encrypted repository:\n\n- Revoke the Cloud KMS CryptoKey Encrypter/Decrypter [role](https://cloud.google.com/kms/docs/reference/permissions-and-roles#predefined_roles) from the Gemini Code Assist service account using the [API Console](https://cloud.google.com/iam/docs/granting-changing-revoking-access#revoke_access) or the [gcloud](https://cloud.google.com/iam/docs/granting-changing-revoking-access#revoking-gcloud-manual).\n- [Temporarily disable](https://cloud.google.com/kms/docs/enable-disable#disable_an_enabled_key_version) the CMEK.\n- [Permanently destroy](https://cloud.google.com/kms/docs/destroy-restore#schedule_a_key_version_for_destruction_destroy_a_key_version) the CMEK.\n\nWe recommend that you revoke the permissions from the\nGemini Code Assist service account before disabling or destroying\na key. Changes to permissions are consistent within seconds, so you can observe\nthe impacts of disabling or destroying a key."]]
