{"id":"cmek-customer-owns-keys-envelope-encryption","text":"CMEK uses server-side, symmetric, envelope encryption with customer-controlled 256-bit AES-GCM keys; key material never leaves the Cloud KMS system boundary.","truth_value":"IN","source":"entries/2026/03/11/kms-cmek.md","source_url":"","source_hash":"a934d829cc4a501b","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"cmek-customer-owns-keys-envelope-encryption","truth_value":"IN","reason":"premise"}]}}