Skip to main content
Version: 8.6

Encryption at rest

Encryption at rest protects stored data by making it unreadable without the appropriate decryption keys.

Overview

By default, Camunda 8 SaaS uses a provider-managed encryption key with Google Cloud Platform (GCP) encryption. Enterprise customers can choose:

  • Camunda-managed software or hardware keys (Google KMS)
  • Bring Your Own Key (BYOK) on AWS for full control

Key points:

  • Encryption type is selected only when creating a cluster
  • Each cluster can have its own key
  • The key applies to all workloads and persists across updates
  • View encryption details in Cluster Details on the Console Overview tab
note

Backups use default provider GCP encryption.

Encryption types

TypeManaged byNotes
Provider (default)GoogleFIPS 140-2 validated encryption module (certificate 4407)
Software keyCamundaGoogle KMS software protection; operations in software; FIPS 140-2 Level 1; zero downtime rotation
Hardware keyCamundaGoogle KMS hardware (HSM) protection; FIPS 140-2 Level 3; operations in HSM; zero downtime rotation
BYOKCustomerAWS KMS key; full control over lifecycle, rotation, and revocation; enterprise only

Provider encryption key

Default option, managed by Google. Uses FIPS 140-2 validated module.

info

Learn more about Google default encryption

Camunda-managed keys

Software key

  • Managed by Camunda using Google KMS
  • FIPS 140-2 Level 1
  • Operations in software
  • Zero downtime rotation

Hardware key

  • Managed by Camunda using Google KMS
  • FIPS 140-2 Level 3
  • Operations in HSM
  • Zero downtime rotation

Bring Your Own Key (BYOK)

Enterprise customers on AWS can use their own AWS KMS key.

  • You manage the key lifecycle, including rotation and revocation
  • Camunda never stores the key; access via standard AWS KMS integrations
  • Zero downtime rotation supported

See BYOK setup guide for configuration.