Customer Managed Encryption Keys

Private Preview: Contact Rockset support to enable this feature.

Rockset encrypts customer data at rest with Rockset managed keys. To increase the level of control that customers have over their collection data, Rockset also allows customers to provide their own AWS Key Management Service (KMS) key for encryption at rest.

During Private Preview Rockset requires creating the organization with the customer key, which cannot be added after the organization was created. Please contact us to provide the AWS KMS key ARN you want to use. Data for all collections created on that organization will then be encrypted at rest using the AWS KMS key you provided.

Note: The KMS key ARN provided will remain linked to your Rockset organization permanently; it cannot be unlinked or changed. However, you can optionally enable automatic key rotation on the provided key. Disabling or misconfiguring the key after creating your organization will result in data unavailability and failed queries within minutes in your Rockset organization.

Customers remain in complete control of the key but need to grant the Rockset AWS account permission to encrypt and decrypt data using that key.

AWS KMS customer key configuration

You must create the AWS KMS key in one of your AWS accounts with the following configuration:

  • The key must be created on the same AWS region where the Rockset organization will be created (for example, us-west-2)
  • Key type: Symmetric
  • Key usage: Encrypt and Decrypt
  • Advanced options / Regionality: Select Multi-Region key
  • Permissions:
    • Other AWS accounts / Add another AWS account: Enter Rockset's AWS account ID 318212636800
    • The policy must allow the Principal for the Rockset's AWS account ID to perform the following actions:
      • kms:Encrypt
      • kms:Decrypt
      • kms:GenerateDataKey*
      • kms:DescribeKey

The generated KMS key policy must include a statement equivalent to:

    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::318212636800:root"
    "Action": [
    "Resource": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234"

Adding additional Rockset regions

If you start using a new Rockset region for an organization configured with a customer managed key, we'll attempt to use a replica of the same Multi-Region KMS key for that region. For example, if:

  1. Your organization was created in us-west-2
  2. The Multi-Region key ARN that you provided when creating the organization
    was arn:aws:kms:us-west-2:111122223333:key/mrk-1234
  3. You start using us-east-1 for that organization

We'll configure that new us-east-1 region with the replica key arn:aws:kms:us-east-1:111122223333:key/mrk-1234

Therefore the us-east-1 replica key must be created and configured before attempting to use us-east-1 for your organization. Otherwise, your organization won't be able to operate on us-east-1. The replica must be created with the same permissions configuration previously described, and the Rockset AWS account ID must be permitted to perform the above Actions, resulting in a policy statement that must be equivalent to the one shown above.

Key unavailability scenarios

If you disable any of the replicas of the AWS KMS key linked to your organization, or any Action is missing from the policy statement of the Rockset AWS account Principal:

  • Queries for all collections in that Rockset region will start failing within minutes.
  • Ingestion will halt for those collections.
  • The collections will be paused if the KMS key remains unavailable for several hours.
    Please contact Rockset support if you need to recover any collections after being paused. For some data sources, the collections will be unrecoverable and must be recreated.

Which data is protected

Rockset stores the collection data in AWS S3 after it is ingested. That data will be protected via server-side encryption with KMS (SSE-KMS) with the customer provided key. The customer key isn't used for data in transit or in caches - that information is encrypted with Rockset managed keys. These caches are guaranteed to expire within a few minutes.