Stay organized with collectionsSave and categorize content based on your preferences.
This page provides instructions for creating a Memorystore for Redis Cluster
instance that uses customer-managed encryption keys (CMEK). It also provides
instructions for managing instances that use CMEK. For more information about
CMEK for Memorystore for Redis Cluster, seeAbout customer-managed encryption keys (CMEK).
Before you begin
Make sure that you have the Redis Adminroleon your user account.
Create akey ringandkeyin the location where you want the Memorystore for Redis Cluster
instance to be.
Copy or write down the key ID (KMS_KEY_ID), the location of the key, and the
key ring ID (KMS_KEY_RING_ID). You need this information when granting
the service account access to the key.
Your Memorystore for Redis Cluster instance is now enabled with CMEK.
Create a key ring and key
Create akey ringandkey.
Both must be in the same region as your Memorystore for Redis Cluster
instance. The key can be from a different project, as long as the key is in the
same region. Also, the key must use thesymmetric encryption algorithm.
Grant the Memorystore for Redis Cluster service account access to the key
Before you can create a Memorystore for Redis Cluster instance that uses
CMEK, you must grant a specific Memorystore for Redis Cluster service account access to the key.
To grant access to the service account, use the following format:
Follow these instructions to see if CMEK is enabled for your instance, and to
view the active key.
gcloud
To verify if CMEK is enabled and to see the key reference, use thegcloud redis clusters describecommand to view theencryptionInfoandkmsKeyfields. ReplaceVARIABLESwith
appropriate values.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Use customer-managed encryption keys (CMEK)\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page provides instructions for creating a Memorystore for Redis Cluster\ninstance that uses customer-managed encryption keys (CMEK). It also provides\ninstructions for managing instances that use CMEK. For more information about\nCMEK for Memorystore for Redis Cluster, see [About customer-managed encryption keys (CMEK)](/memorystore/docs/cluster/about-cmek).\n| **Note:** You can't enable CMEK on existing Memorystore for Redis Cluster instances.\n\nBefore you begin\n----------------\n\n1. Make sure that you have the Redis Admin [role](/memorystore/docs/cluster/access-control)\n on your user account.\n\n [Go to the IAM page](https://console.cloud.google.com/iam-admin/iam)\n\nWorkflow to create an instance that uses CMEK\n---------------------------------------------\n\n1. Create a [key ring](/kms/docs/create-key-ring) and [key](/kms/docs/create-key)\n in the location where you want the Memorystore for Redis Cluster\n instance to be.\n\n2. Copy or write down the key ID (`KMS_KEY_ID`), the location of the key, and the\n key ring ID (`KMS_KEY_RING_ID`). You need this information when granting\n the service account access to the key.\n\n3. [Grant the Memorystore for Redis Cluster service account access to the key](#grant-service-account-access).\n\n4. Go to a project and [create a Memorystore for Redis Cluster instance with CMEK enabled](#create-CMEK-instance) in the same region as the key ring and key.\n\nYour Memorystore for Redis Cluster instance is now enabled with CMEK.\n\nCreate a key ring and key\n-------------------------\n\nCreate a [key ring](/kms/docs/create-key-ring) and [key](/kms/docs/create-key).\nBoth must be in the same region as your Memorystore for Redis Cluster\ninstance. The key can be from a different project, as long as the key is in the\nsame region. Also, the key must use the [symmetric encryption algorithm](/kms/docs/algorithms#symmetric).\n\nGrant the Memorystore for Redis Cluster service account access to the key\n-------------------------------------------------------------------------\n\nBefore you can create a Memorystore for Redis Cluster instance that uses\nCMEK, you must grant a specific Memorystore for Redis Cluster service account access to the key.\n\nTo grant access to the service account, use the following format:\n\n`service-[PROJECT-NUMBER]@cloud-redis.iam.gserviceaccount.com` \n\n### gcloud\n\nTo grant the service account access to the key, use the [`gcloud kms keys add-iam-policy-binding`](/sdk/gcloud/reference/kms/keys/add-iam-policy-binding)\ncommand. Replace \u003cvar translate=\"no\"\u003eVARIABLES\u003c/var\u003e with appropriate values. \n\n```\ngcloud kms keys add-iam-policy-binding \\\nprojects/PROJECT_ID/locations/REGION_ID/keyRings/KMS_KEY_RING_ID/cryptoKeys/KMS_KEY_ID \\\n--member=serviceAccount:service-PROJECT_NUMBER@cloud-redis.iam.gserviceaccount.com \\\n--role=roles/cloudkms.cryptoKeyEncrypterDecrypter\n```\n\nCreate a Memorystore for Redis Cluster instance that uses CMEK\n--------------------------------------------------------------\n\n**Note:** You can't enable CMEK on existing instances. Also, this operation takes several minutes to complete. \n\n### gcloud\n\nTo create an instance that uses CMEK, use the [`gcloud beta redis clusters\ncreate`](/sdk/gcloud/reference/beta/redis/clusters/create) command. Replace\n\u003cvar translate=\"no\"\u003eVARIABLES\u003c/var\u003e with appropriate values. \n\n```\ngcloud beta redis clusters create INSTANCE_ID \\\n--project=PROJECT_NAME \\\n--region=REGION_ID \\\n--network=NETWORK \\\n--kms-key=projects/PROJECT_NAME/locations/REGION_ID/keyRings/KMS_KEY_RING_ID/cryptoKeys/KMS_KEY_ID \\\n--shard-count=SHARD_NUMBER \\\n--persistence-mode=PERSISTENCE_MODE\n```\n\nView key information for a CMEK-enabled instance\n------------------------------------------------\n\nFollow these instructions to see if CMEK is enabled for your instance, and to\nview the active key. \n\n### gcloud\n\nTo verify if CMEK is enabled and to see the key reference, use the [`gcloud redis clusters describe`](/sdk/gcloud/reference/redis/clusters/describe) command to view the `encryptionInfo` and `kmsKey` fields. Replace \u003cvar translate=\"no\"\u003eVARIABLES\u003c/var\u003e with\nappropriate values. \n\n```\ngcloud redis clusters describe INSTANCE_ID \\\n--project=PROJECT_NAME \\\n--region=REGION_ID\n```\n\nManage key versions\n-------------------\n\nFor information about what happens when you disable, destroy, rotate, enable,\nand restore a key version, see [Behavior of a CMEK key version](/memorystore/docs/cluster/about-cmek#behavior-of-a-cmek-key-version).\n\nFor instructions on how to disable and re-enable key versions, see [Enable and\ndisable key versions](/kms/docs/enable-disable).\n\nFor instructions on how to destroy and restore key versions, see [Destroy and\nrestore key versions](/kms/docs/destroy-restore).\n\nWhat's next\n-----------\n\n- Learn more about [backups](/memorystore/docs/cluster/backups).\n- Learn more about [persistence](/memorystore/docs/cluster/persistence-overview)."]]
