Customer Managed Encryption Keys
On this page
“Encryption” encompasses the processes and controls used to ensure that data remains inaccessible to unauthorized users and to protect the data transferred between users, client applications, and the computers/services involved.
Encryption keys are created and maintained with a cloud key management service (KMS) using key material owned by the cloud service provider.
A SingleStoreDB Cloud customer can use their own key stored in their cloud key vault to encrypt data at rest.
The benefits of using of customer managed keys for data encryption at rest include:
A customer can maintain the proper set of permissions for SingleStore to access the KMS keys.
Once an existing key is rotated, the new key will be used for data protection.
A customer can also set the automatic key rotation in their key vault (such as with AWS KMS), which will rotate the key every year. This allows a customer to own the data lifecycle and protect their data based on business priorities.
A customer can control/restrict access to their data for SingleStore and the cloud service provider.
In the case of a data breach, a customer can easily revoke access to their data. This approach allows Zero Trust to be achieved with SingleStore. Once key access is revoked, SingleStore will no longer have access to a customer’s data. To resume normal workspace operations, the customer must explicitly grant SingleStore access to their data.
This section provides instructions on how to use customer managed keys with AWS, with instructions for Azure and GCP to be provided at a later date.
In this section
Last modified: June 22, 2022