To set up your encryption environment for confidential matching in Google Ads Data Manager, follow these steps:

1. Create key resources:

   • Create a key ring using the command:

     gcloud kms keyrings create KEY_RING --location LOCATION
     

   • Create a key within the key ring:

     gcloud kms keys create KEY_NAME --keyring KEY_RING --location LOCATION \
     --purpose PURPOSE --rotation-period ROTATION_PERIOD \
     --next-rotation-time NEXT_ROTATION_TIME
     

2. Create workload identity pool resources:

   • Create the Workload Identity Pool (WIP):

     gcloud iam workload-identity-pools create ID --location=LOCATION --display-name=DISPLAY_NAME --description=DESCRIPTION
     

   • Create the workload identity pool provider:

     gcloud iam workload-identity-pools providers create-oidc ID \
     --location=LOCATION --workload-identity-pool=WIP_ID \
     --display-name=DISPLAY_NAME --description=DESCRIPTION \
     --attribute-mapping="google.subject=assertion.sub,google.groups=[\"ID\"]" \
     --attribute-condition=ATTRIBUTE_CONDITION \
     --issuer-uri="https://confidentialcomputing.googleapis.com" \
     --allowed-audiences="https://sts.googleapis.com"
     

3. Configure key decrypter permission:

   • Use the WIP to configure key decrypter permission:

     gcloud kms keys add-iam-policy-binding KEY --keyring KEY_RING --location LOCATION --member MEMBER --role "roles/cloudkms.cryptoKeyDecrypter"
     

4. Optional: Enable audit logs:

   • Follow the instructions in the Google Cloud documentation to enable audit logs for IAM API, Cloud KMS API, and Security Token Service API.

5. Get WIP provider name:

   • Get the WIP provider name:

     gcloud iam workload-identity-pools providers describe PROVIDER_ID --workload-identity-pool=POOL_ID --location=LOCATION --format='value(name)'
     

   • Enter the WIP provider name during connection setup in Data Manager.

To encrypt data for use with confidential matching in Google Ads Data Manager, follow these steps:

1. Format PII fields:

   • Ensure that personally identifiable information (PII) fields such as email, phone, first name, last name, country code, and zip code are properly formatted.

2. Hash the PII fields:

   • Use the SHA-256 hash function to hash the PII fields.

3. Encode the hashed fields:

   • Encode the hashed fields as Base64.

4. Encrypt the Base64-encoded hashed strings:

   • Use the XChaCha20Poly1305 Data Encryption Key (DEK) to encrypt the Base64-encoded hashed strings.

5. Encode once more as Base64:

   • Encode the encrypted strings again as Base64.

You can use any method and programming language to meet these requirements. For reference, a Java example is provided in the Google Cloud documentation. The example application takes a CSV file as input and produces a formatted and encrypted CSV file suitable for use with Data Manager’s file-based connectors such as Google Cloud Storage, SFTP, and HTTPS.

To use your encrypted data with Google Ads Data Manager, follow these steps:

1. Upload the encrypted data:

   • Upload the encrypted data to a supported file-based data source such as Google Cloud Storage or SFTP.

2. Connect to the data source:

   • Use Data Manager to connect to the data source.
   • On the Select data screen, choose the encrypted file that you uploaded.

3. Expand Encryption keys:

   • Select “This data set contains encrypted data”.
   • Enter the WIP provider name, then click Continue.

4. Map fields:

   • On the Map fields screen, map the two new fields: encrypted_dek and kek_uri.

For more detailed instructions, refer to the Google Cloud documentation on connecting to a data source and mapping fields.