Best Practices for Using Self-Managed Encryption Keys

Do not reuse encryption keys

By using a unique encryption key for each active Kafka cluster, you minimize the security risks if an encryption key is compromised.

Confluent enforces using unique encryption keys for each active cluster. This requirement, based on security best practices, helps minimize the risk associated with a compromised key. A unique key for each cluster provides the following benefits:

  • Isolation of potential data breaches to one cluster.
  • Granular control of access to the cluster, ensuring that only authorized users and applications access the cluster and data.
  • Easier to track and audit key usage for the cluster.

Rotate encryption keys on a regular basis

Rotate the encryption keys for each cluster on a regular basis. This practice helps limit the amount of data that can be decrypted if a key is compromised. By frequently rotating keys, you reduce the amount of data that can be decrypted with a compromised key. Many regulatory compliance standards require key rotation on a regular basis.