Encrypt Confluent Cloud Kafka Clusters using Self-Managed Keys

You can encrypt data at rest in Dedicated Kafka clusters with self-managed keys to ensure only the appropriate entity or user can decrypt it. This provides a greater degree of privacy and data integrity, which is frequently required by government, health, finance, and many other industries. Confluent Cloud data resides in clusters that you can deploy across multiple components, and each must support privacy and data confidentiality. By default, all Confluent Cloud clusters (Basic, Standard, and Dedicated) in AWS or Google Cloud automatically create, manage, and use the encryption key for your Confluent Cloud cluster. When you create a Dedicated Kafka cluster, you can optionally choose to self-manage the encryption key. This is also known as bring-your-own-key (BYOK) encryption. This option may be preferable for users who want to use their own key to encrypt data at rest, or who need the option to disable Confluent’s access to data at any time.


Self-managed encryption keys are only available for the Dedicated cluster type with Amazon Web Services, Azure, and Google Cloud as providers.

Confluent Cloud supports using self-managed encryption keys on the following cloud service providers: