Encrypt Confluent Cloud clusters using self-managed keys¶
You can encrypt data at rest in Dedicated clusters with self-managed keys to ensure only the appropriate entity or user can decrypt it. This provides a greater degree of privacy and data integrity, which is frequently required by government, health, finance, and many other industries.
Confluent Cloud data resides in clusters that you can deploy across multiple components, and each must support privacy and data confidentiality. By default,
all Confluent Cloud clusters (Basic, Standard, and Dedicated) in AWS or GCP automatically create, manage, and use the encryption key for your Confluent Cloud cluster. If you create the dedicated cluster type, you can optionally choose to self-manage the encryption key. This is also known as BYOK (bring your own key) encryption. This option may be preferable for users who want to use their own key to encrypt data at rest, or who need the option to disable Confluent’s access to data at any time.
Self-managed encryption keys are only available for the Dedicated cluster type with Amazon Web Services or [gcp-long] as providers.
Confluent Cloud supports using self-managed encryption keys on the following cloud service providers:
- Amazon Web Services: See Encrypt Confluent Cloud clusters using self-managed keys – Amazon Web Services.
- Google Cloud Platform: See Encrypt Confluent Cloud clusters using self-managed keys – Google Cloud Platform.