Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Encryption Keys for Dialogflow CX Agents

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Conversational Agents (Dialogflow CX) agent data-at-rest is encrypted with a Customer-Managed Encryption Key (CMEK) instead of a Google-managed encryption key. When you enable encryption with CMEK for Dialogflow CX in your Google Cloud Platform (GCP) project, all Dialogflow agent data-at-rest is fully encrypted with the CMEK. Customer-Managed Encryption Keys provide greater control over the encryption and decryption process, helping you meet stringent compliance requirements.

Security

By default, Google Cloud Platform (GCP) encrypts all data using Google-managed encryption keys. This type of encryption is handled by GCP without any additional effort from you or your application. However, if you prefer to have full control over data encryption, you can use your own Customer-Managed Encryption Key (CMEK). To create and manage your own CMEKs, utilize Cloud Key Management Service (Cloud KMS). Cloud KMS offers secure and efficient encryption key management, including controlled key rotation and revocation mechanisms.

Audit

To determine if your Dialogflow CX agent data is protected with Customer-Managed Encryption Keys (CMEKs), perform the following operations:

Checking Dialogflow CX agents for encryption with Customer-Managed Encryption Key (CMEK) using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Navigate to Conversational Agents (Dialogflow CX) console available at https://conversational-agents.cloud.google.com/.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the Project dropdown menu available in the console top navigation bar.

04 In the Agents section, choose the Dialogflow CX agent that you want to examine and check the configuration value listed in the Using CMEK column to determine the type of the encryption key used by the selected agent. If the value listed in the Using CMEK column is No, the data managed by the selected Dialogflow CX agent is not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

05 Repeat step no. 4 for each Conversational Agents (Dialogflow CX) agent available within the selected GCP project.

06 Repeat steps no. 3 and 4 for each GCP project deployed within your Google Cloud account.

Remediation / Resolution

Encryption with Customer-Managed Encryption Keys (CMEKs) is only available during agent creation. To enable encryption with CMEK for your new Dialogflow CX agents, perform the following operations:

Enabling encryption with Customer-Managed Encryption Key (CMEK) for Dialogflow CX agents using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar (must match the project where you plan to deploy your Dialogflow CX agent).

03 To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

  1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
  2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
  3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select Region from the Location type list, then choose the appropriate key location from the Region dropdown list (must match the region where you plan to deploy your Dialogflow CX agent). Choose CREATE to deploy the new key ring.
  4. On the Create key setup page, provide the following information:
    1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
    2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
    3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
    4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
    5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
    6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 On the Keys listing page, choose the newly created Cloud KMS key, select the Actions button (i.e., 3-dot icon), and choose Copy resource name to copy the full ID of the new KMS key.

05 Navigate to CCAI (Contact Center AI) console available at https://ccai.cloud.google.com/.

06 Select the Google Cloud Platform (GCP) project that you want to examine from the Project dropdown menu available in the console top navigation bar.

07 Choose the CMEK tab and perform the following actions:

  1. Choose Check or create service account next to Before adding CMEK keys, you need to create a CCAI CMEK service account. This will create the required service account. Ensure that the new service account has the Cloud KMS CryptoKey Encrypter/Decrypter role.
  2. Choose + (plus icon) next to the Google Cloud region where you plan to deploy your Dialogflow CX agent, paste the KMS key ID copied in step no. 4, and select OK (i.e., check icon) to apply the changes.

08 Navigate to Conversational Agents (Dialogflow CX) console available at https://conversational-agents.cloud.google.com/.

09 Select the Google Cloud Platform (GCP) project that you want to access from the Project dropdown menu available in the console top navigation bar.

10 In the Agents section, choose Create agent, and perform the following operations to create a new CMEK-encrypted Dialogflow CX agent:

  1. For Get started with Conversational Agents, choose Build your own to create your own agent.
  2. For Display name, provide a unique name for your agent.
  3. For Location, choose the region where to deploy your Dialogflow CX agent. Once the correct region is selected, the Console should display the following message: This region is using CMEK.
  4. For Time zone, select the appropriate time zone. Date and time requests are resolved using the time zone selected in this step.
  5. For Default language, choose the language the agent uses.
  6. For Conversation start, choose how your agent starts each conversation.
  7. Choose Create to deploy your new CMEK-encrypted Dialogflow CX agent.

11 Repeat step no. 10 for each Conversational Agents (Dialogflow CX) agent that you want to deploy for the selected GCP project.

12 Repeat steps no. 2 – 11 for each GCP project deployed in your Google Cloud account.

References

Publication date Jul 28, 2025

Related DialogFlow rules