This is legacy documentation, and may not be complete. To see the latest documentation, if you are a marketer, refer to the Marketers site. If you are a measurement partner, refer to the Measurement Partners site.
Stay organized with collections
Save and categorize content based on your preferences.
Customer managed encryption keys (CMEK) allow you to control the encryption keys used to protect your Google Cloud data at rest. This article explains how to set up and manage CMEK in Ads Data Hub.
Ads Data Hub encrypts data at rest using Google managed keys. Unless you have specific requirements necessitating the usage of CMEK, Google’s default encryption is your best choice.
In order to use CMEK, you must:
Use Cloud Key Management Service (KMS).
Have previously configured an admin project and updated to the new service account.
You can create the key in any Google Cloud project.
Ensure that you create your key under a compatible Cloud KMS location. Per Cloud KMS guidelines, using the “global” region is not advised due to potential performance limitations. If you can’t remember your region, contact Ads Data Hub support.
ADH region
Cloud KMS locations
US
US
EU
europe
asia-northeast1
asia, asia-northeast1
australia-southeast1
australia-southeast1
On the Cloud Identity and Access Management (IAM) page, grant the Ads Data Hub service account the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypter). Alternatively, permission the Ads Data Hub service account directly to the key on the Cloud KMS page.
Rotating keys is a common security practice. Find instructions on how to rotate keys on the Cloud KMS page here.
Ads Data Hub doesn't automatically rotate the encryption key when the Cloud KMS key associated with the account rotates. Existing tables continue to use the key version with which they were created. New tables use the current key version.
Change keys
You can change to a new key instead of rotating an existing key. This is useful when you need to destroy a key, or make significant changes to your key management; such as changing to a different protection level.
To switch to a new key, follow the instructions under Enable CMEK. Caution: modifying or destroying the previous key before the update completes may result in permanent loss of data.
Revoke permissions, disable, or destroy a key
Follow instructions in the Google Cloud documentation for the following actions:
This action takes effect immediately. You won’t be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.
Important: Disable CMEK before destroying your key. If you don’t, you won’t be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.
Disable CMEK
It’s important that you disable CMEK prior to deleting active keys. Otherwise, you will lose access to data that was encrypted using your deleted keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-18 UTC."],[[["\u003cp\u003eCustomer-managed encryption keys (CMEK) give you control over the encryption keys used to protect your Ads Data Hub data, but Google's default encryption is generally sufficient.\u003c/p\u003e\n"],["\u003cp\u003eTo use CMEK, you must leverage Cloud Key Management Service (KMS), have a configured admin project, and grant the Ads Data Hub service account the necessary permissions.\u003c/p\u003e\n"],["\u003cp\u003eYou can manage your CMEK keys by rotating, changing, disabling, or destroying them through Cloud KMS, following specific procedures for each action.\u003c/p\u003e\n"],["\u003cp\u003eDisabling CMEK before deleting active keys is crucial to prevent data loss, as data encrypted with deleted keys becomes inaccessible.\u003c/p\u003e\n"]]],["\n\nI'm sorry, but I can't help you with this."],null,["Customer managed encryption keys (CMEK) allow you to control the encryption keys used to protect your Google Cloud data at rest. This article explains how to set up and manage CMEK in Ads Data Hub.\n\nAds Data Hub encrypts data at rest using Google managed keys. Unless you have specific requirements necessitating the usage of CMEK, Google's default encryption is your best choice.\n\nIn order to use CMEK, you must:\n\n- Use Cloud Key Management Service (KMS).\n- Have previously configured an [admin project](/ads-data-hub/guides/account-setup#designate_an_admin_project) and updated to the new service account.\n\n[Learn more about CMEK](https://cloud.google.com/kms/docs/cmek)\n\nEnable CMEK\n\n1. On the Cloud KMS page, [create a symmetric key](https://cloud.google.com/kms/docs/creating-keys).\n 1. You can create the key in any Google Cloud project.\n 2. Ensure that you create your key under a compatible [Cloud KMS location](https://cloud.google.com/kms/docs/locations). Per [Cloud KMS guidelines](https://cloud.google.com/kms/docs/locations#choosing), using the \"global\" region is not advised due to potential performance limitations. If you can't remember your region, contact Ads Data Hub support.\n\n | ADH region | Cloud KMS locations |\n |----------------------|-----------------------|\n | US | US |\n | EU | europe |\n | asia-northeast1 | asia, asia-northeast1 |\n | australia-southeast1 | australia-southeast1 |\n\n2. On the Cloud Identity and Access Management (IAM) page, [grant the Ads Data Hub service account](https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting-console) the Cloud KMS CryptoKey Encrypter/Decrypter role (`roles/cloudkms.cryptoKeyEncrypter`). Alternatively, permission the Ads Data Hub service account directly to the key on the Cloud KMS page.\n3. In the Ads Data Hub UI:\n 1. Navigate to the **Settings** tab.\n 2. Under \"Customer-managed encryption\", click **Edit**.\n 3. Toggle \"Customer-managed encryption\" to \"on\".\n 4. Paste the key resource ID. Note: this must be the entire resource ID for the key, not a specific version. [Learn how to get a Cloud KMS resource ID](https://cloud.google.com/kms/docs/getting-resource-ids)\n 5. Click **Save**.\n\nManage keys\n\nRotate a key\n\nRotating keys is a common security practice. Find instructions on how to rotate keys on the Cloud KMS page [here](https://cloud.google.com/kms/docs/rotating-keys).\n\nAds Data Hub doesn't automatically rotate the encryption key when the Cloud KMS key associated with the account rotates. Existing tables continue to use the key version with which they were created. New tables use the current key version.\n\nChange keys\n\nYou can change to a new key instead of rotating an existing key. This is useful when you need to destroy a key, or make significant changes to your key management; such as changing to a different protection level.\n\nTo switch to a new key, follow the instructions under [Enable CMEK](/ads-data-hub/guides/cmek#enable_cmek). Caution: modifying or destroying the previous key before the update completes may result in permanent loss of data.\n\nRevoke permissions, disable, or destroy a key\n\nFollow instructions in the Google Cloud documentation for the following actions:\n\n- [Revoke the Ads Data Hub service account's permissions](https://cloud.google.com/iam/docs/granting-changing-revoking-access#revoking-console).\n - This action takes effect immediately. You won't be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.\n- [Disable a key](https://cloud.google.com/kms/docs/enable-disable?).\n - This action may take up to 3 hours to appear in Ads Data Hub. Until then, you can continue to run queries using the disabled key in Ads Data Hub.\n- [Destroy a key](https://cloud.google.com/kms/docs/destroy-restore).\n - Important: Disable CMEK before destroying your key. If you don't, you won't be able to run queries in Ads Data Hub until resolving the issue and your temp tables and models may suffer unrecoverable data loss.\n\nDisable CMEK\n\nIt's important that you disable CMEK prior to deleting active keys. Otherwise, you will lose access to data that was encrypted using your deleted keys.\n\nTo disable CMEK:\n\n1. Navigate to the **Settings** tab in Ads Data Hub.\n2. Under \"Customer-managed encryption\", click **Edit**.\n3. Toggle \"Customer-managed encryption\" to \"off\".\n4. Click **Save**."]]
