Encryption

By default, Speech-to-Text encrypts customer content at rest. Speech-to-Text handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Speech-to-Text. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Speech-to-Text resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

For information about the specific benefits of using CMEK with Speech-to-Text resources, see Understand CMEK for Speech-to-Text resources.

Understand CMEK for Speech-to-Text resources

The following conditions are true when a new key is set by using the Speech-to-Text API:

Resources previously encrypted with the original key remain encrypted with that earlier key. If a resource is updated (using an Update* method), it is reencrypted with the new key.
Previously non-CMEK encrypted resources remain unencrypted. If a resource is updated (using an Update* method), it is then reencrypted with the new key. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation is reencrypted with the new key.
Newly created resources are encrypted with the newly set key.

When you remove a key by using the Speech-to-Text API, new resources are created without CMEK encryption. Existing resources remain encrypted with the keys with which they were previously encrypted. If a resource is updated (using an Update* method), it is reencrypted using the default encryption managed by Google. For long-running operations (like batch recognition), if processing is ongoing and not finished, the stored operation will be re-encrypted using the default encryption managed by Google.

The location of the Cloud KMS key used for encrypting Speech-to-Text resources must match the Speech-to-Text endpoint used. For more information about Speech-to-Text locations, see Speech-to-Text locations. For more information about Cloud KMS locations, see Cloud KMS locations.

CMEK-supported resources

The following are current Speech-to-Text resources covered by CMEK:

Resource	Material encrypted	Documentation links
Recognizer	The language code in the recognition configuration. Inline and reference adaptation resources.	Recognizers Adaptation
PhraseSet	Phrases in the phrase set.	Adaptation
CustomClass	Class items in the custom class.	Adaptation
Operation	The original request that spawned the operation. The response from the method that spawned the operation.	Recognizers Adaptation Operations
Batch recognition artifacts	Adaptation resources used during transcription. The accumulated transcript results. Audio artifacts required for transcription.	Batch recognition

What's next

Learn how to use encryption with Speech-to-Text.