Customer Managed Encryption Keys are currently in Private Preview. Contact [Rockset Support](🔗) to enable this feature.

Rockset [encrypts customer data at rest](🔗) with Rockset managed keys. To increase the level of control that customers have over their [<<glossary:Collection>> ](🔗)data, Rockset also allows customers to provide their own AWS Key Management Service (KMS) key for encryption at rest.

During Private Preview, Rockset requires creating the organization with the customer key which **cannot** be added after the organization was created. Please contact us to provide the **full AWS KMS key ARN** you want to use (alias ARNs are not supported). Data for all collections created on that organization will then be encrypted at rest using the AWS KMS key you provided.

AWS KMS Key Note

The KMS key ARN provided will remain linked to your Rockset organization permanently; it cannot be unlinked or changed. However, you can optionally [enable automatic key rotation](🔗) on the provided key. Disabling or misconfiguring the key after creating your organization will [result in data unavailability and failed queries](🔗) within minutes in your Rockset organization.

Customers remain in complete control of the key but need to grant the Rockset AWS account permission to encrypt and decrypt data using that key.

## AWS KMS customer key configuration

You must [create the AWS KMS key](🔗) in one of your AWS accounts with the following configuration:

  • The key must be created on the same AWS region where the Rockset organization will be created (for example, `us-west-2`)

  • Key type: Symmetric

  • Key usage: Encrypt and Decrypt

  • Advanced options/Regionality: Select [Multi-Region key](🔗)

  • Permissions:

    • Other AWS accounts/Add another AWS account: Enter Rockset's AWS account ID `318212636800`

    • The policy must allow the Principal for the Rockset's AWS account ID to perform the following actions:

      • `kms:Encrypt`

      • `kms:Decrypt`

      • `kms:GenerateDataKey*`

      • `kms:DescribeKey`

The generated KMS key policy must include a statement equivalent to:

Note that the `key-id` element of the key Resource ARN has the `mrk-` prefix, as it is a Multi-Region key.

## Adding additional Rockset regions

If you start using a new Rockset region for an organization configured with a customer managed key, we'll attempt to use a replica of the same Multi-Region KMS key for that region. For example, if:

  1. Your organization was created in `us-west-2`

  2. The Multi-Region key ARN that you provided when creating the organization was `arn:aws:kms:us-west-2:111122223333:key/mrk-1234`

  3. You start using `us-east-1` for that organization

We'll configure that new `us-east-1` region with the replica key `arn:aws:kms:us-east-1:111122223333:key/mrk-1234`

Therefore the `us-east-1` [replica key](🔗) must be created and configured **before** attempting to use `us-east-1` for your organization. Otherwise, your organization won't be able to operate on `us-east-1`. The replica must be created with the same permissions configuration previously described, and the Rockset AWS account ID must be permitted to perform the above Actions, resulting in a policy statement that must be equivalent to the one shown above.

## Key unavailability scenarios

If you [disable any of the replicas of the AWS KMS key](🔗) linked to your organization, or any Action is missing from the policy statement of the Rockset AWS account Principal:

  • Queries for all collections in that Rockset region will start failing within minutes.

  • Ingestion will halt for those collections.

  • The collections will be paused if the KMS key remains unavailable for several hours. Please contact Rockset support if you need to recover any collections after being paused. For some data sources, the collections will be unrecoverable and must be recreated.

## Which data is protected

Rockset stores the collection data in AWS S3 after it is ingested. That data will be protected via [server-side encryption with KMS (SSE-KMS)](🔗) with the customer provided key. The customer key isn't used for data in transit or in caches - that information is encrypted with Rockset managed keys. These caches are guaranteed to expire within a few minutes.