--- title: "Set up data encryption" slug: "set-up-for-data-encryption" updated: 2026-02-18T15:20:05Z published: 2026-02-18T15:20:05Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.gong.io/llms.txt > Use this file to discover all available pages before exploring further. # Set up data encryption You can use cryptographic keys stored and managed in your AWS Key Management Service (KMS) to encrypt your organization's data stored in Gong. For Gong to use the external KMS keys, the following is needed: - The KMS should have a policy that allows a Gong-owned principal (specifically an IAM role), to use the KMS with a set of predefined permissions, for example, Encrypt or Decrypt. - The principal should have an attached policy to use the KMS with appropriate permissions. This article explains how to set up the KMS in your AWS account. ## **Required permissions** This table explains the permissions we need for your key and why: | Permission | Why we need the permission | | --- | --- | | ```plaintext Decrypt Encrypt GenerateDataKey ``` | To enable Gong to store encrypted files for your organization. | | ```plaintext DescribeKey ``` | To enable Gong to verify that the key is a symmetric key that meets requirements. | | ```plaintext ListGrants ``` | To enable Gong to list existing grants for the CMK. | | ```plaintext CreateGrant ``` | To enable Gong to delegate permissions dynamically from the ExternalCmkAccessGranter principal to the various services in Gong that store and read encrypted data. | | ```plaintext RevokeGrant RetireGrant ``` | To enable Gong to remove the created grant, retire in regular cases, and revoke if some services get forcefully shutdown. | ## **Create and configure your CMK** 1. If your Gong data center is located in USA, make sure your AWS region is **us-east-1**. If your Gong data center is located in Europe, make sure your AWS region is **eu-west-1.** 2. In AWS KMS, create a symmetric encryption. ![CMK_config](https://cdn.us.document360.io/2837c190-3ec8-4120-9116-6d427e774667/Images/Documentation/24883313484173.png) 3. Paste the following to add a policy that enables access from the Gong AWS account. For the US data center, the Gong account number is: 655275192472 For the European data center, the Gong account number is: 851725374967 ```plaintext {                "Sid": "Allow Gong.io to use this CMK",    "Effect": "Allow",    "Principal": { "AWS":"arn:aws:iam:::role/ExternalCmkAccessGranter"                },    "Action":[                    "kms:Decrypt",    "kms:Encrypt",    "kms:RevokeGrant",    "kms:GenerateDataKey",    "kms:DescribeKey",    "kms:RetireGrant",        "kms:CreateGrant",    "kms:ListGrants"    ],    "Resource": "*"         } ``` The screenshot below is an example of the policy snippet for the US data center: ![CMK_edit](https://cdn.us.document360.io/2837c190-3ec8-4120-9116-6d427e774667/Images/Documentation/24883296689677.png) After the KMS is created, make a note of the KMS ARN, for example: **arn:aws:kms::1234567890:key/12345678-90ab-cdef-1234-123456789ab** ## Encrypt your data Gong uses this key to encrypt all new S3 files stored in your organization’s Gong account. Existing files will not be re-encrypted. > [!TIP] > Important: > > Make sure that you don't delete the key from your KMS. If the key is deleted, all data encrypted in Gong with this key is irreversibly invalidated. 1. Go to **Admin center > Settings** > **Data capture** > **Data Protection & Privacy**, and scroll down to **Encrypt data using your key**. 2. In KEY AMAZON RESOURCE NAME (ARN) TO ENCRYPT S3 FILES box, click **Edit** and enter your key. This encrypts new S3 files stored in your Gong account. 3. In KEY AMAZON RESOURCE NAME (ARN) TO ENCRYPT TRANSCRIPTS box, click **Edit**and enter your key. This encrypts new transcriptions stored in your Gong account. 4. Click **Save**.