Vertex AI Dataset Encryption with Customer-Managed Encryption Keys

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Vertex AI console available at https://console.cloud.google.com/vertex-ai.

04 In the main navigation panel, under DATA, choose Datasets, and select YOUR DATASETS tab to access the AI datasets created for the selected project.

05 Click on the name (link) of the Vertex AI dataset that you want to examine.

06 Select the ANALYZE tab and check the Encryption type attribute value, listed under Properties, to determine the type of the encryption key used by the selected dataset. If Encryption type is set to Google-managed, the data managed by the selected Vertex AI dataset is not encrypted with a Customer-Managed Encryption Key (CMEK).

07 Repeat steps no. 5 and 6 for each Vertex AI dataset created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 To create and configure your new Cloud KMS Customer-Managed Encryption Key (CMEK), perform the following actions:

1. Navigate to Key Management Service (KMS) console available at https://console.cloud.google.com/security/kms.
2. Before you can set up and manage any Customer-Managed Encryption Keys (CMEKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. Choose + CREATE KEY RING from the top menu to set up the required key ring and the new Customer-Managed Encryption Key (CMEK).
3. A key ring requires a name and location. On the Create key ring page, provide a unique name in the Key ring name box, select the appropriate Location type, then choose a location for the key ring from the Region/Multi-region dropdown list. If the CMEKs created later within the key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
4. On the Create key setup page, provide a name for your new key in the Key name box, choose the protection level that you want to use, choose Generated key for Key material, select Symmetric encrypt/decrypt from the Purpose dropdown list to define the types of operations that your cryptographic key can perform, configure the key rotation parameters and labels. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 Once the new CMEK is available, navigate to Vertex AI console at https://console.cloud.google.com/vertex-ai.

05 In the main navigation panel, under DATA, select Datasets, choose CREATE, and perform the following actions to create a new dataset:

1. For Dataset name, provide a unique name for your new Vertex AI dataset.
2. For Select a data type and objective, choose the type of data your dataset will contain and select an objective, which is the outcome that you want to achieve with the specified trained model.
3. For Region, select the GCP location where the new dataset will be deployed.
4. Choose ADVANCED OPTIONS to display the encryption configuration settings available for the new dataset. For Encryption, choose Cloud KMS key, and select the Cloud KMS Customer-Managed Encryption Key (CMEK) created at step no. 3. Inside The service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the specified service account the required IAM role on the selected CMEK.
5. Choose CREATE to create your new Google Cloud Vertex AI dataset.

06 Repeat step no. 5 for each Vertex AI dataset that you want to re-create, available for the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed within your Google Cloud account.