01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar (must match the project where you plan to deploy your Dialogflow CX agent).
03 To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:
- Navigate to Key management console available at https://console.cloud.google.com/security/kms.
- Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
- A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select Region from the Location type list, then choose the appropriate key location from the Region dropdown list (must match the region where you plan to deploy your Dialogflow CX agent). Choose CREATE to deploy the new key ring.
- On the Create key setup page, provide the following information:
- For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
- For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
- For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
- For Versions, configure the key rotation period as necessary. Choose CONTINUE.
- For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
- Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).
04 On the Keys listing page, choose the newly created Cloud KMS key, select the Actions button (i.e., 3-dot icon), and choose Copy resource name to copy the full ID of the new KMS key.
05 Navigate to CCAI (Contact Center AI) console available at https://ccai.cloud.google.com/.
06 Select the Google Cloud Platform (GCP) project that you want to examine from the Project dropdown menu available in the console top navigation bar.
07 Choose the CMEK tab and perform the following actions:
- Choose Check or create service account next to Before adding CMEK keys, you need to create a CCAI CMEK service account. This will create the required service account. Ensure that the new service account has the Cloud KMS CryptoKey Encrypter/Decrypter role.
- Choose + (plus icon) next to the Google Cloud region where you plan to deploy your Dialogflow CX agent, paste the KMS key ID copied in step no. 4, and select OK (i.e., check icon) to apply the changes.
08 Navigate to Conversational Agents (Dialogflow CX) console available at https://conversational-agents.cloud.google.com/.
09 Select the Google Cloud Platform (GCP) project that you want to access from the Project dropdown menu available in the console top navigation bar.
10 In the Agents section, choose Create agent, and perform the following operations to create a new CMEK-encrypted Dialogflow CX agent:
- For Get started with Conversational Agents, choose Build your own to create your own agent.
- For Display name, provide a unique name for your agent.
- For Location, choose the region where to deploy your Dialogflow CX agent. Once the correct region is selected, the Console should display the following message: This region is using CMEK.
- For Time zone, select the appropriate time zone. Date and time requests are resolved using the time zone selected in this step.
- For Default language, choose the language the agent uses.
- For Conversation start, choose how your agent starts each conversation.
- Choose Create to deploy your new CMEK-encrypted Dialogflow CX agent.
11 Repeat step no. 10 for each Conversational Agents (Dialogflow CX) agent that you want to deploy for the selected GCP project.
12 Repeat steps no. 2 – 11 for each GCP project deployed in your Google Cloud account.