Encryption at rest
Encryption at rest protects stored data by making it unreadable without the appropriate decryption keys.
Overview
By default, Camunda 8 SaaS uses a provider-managed encryption key with Google Cloud Platform (GCP) encryption. Enterprise customers can choose:
- Camunda-managed software or hardware keys (Google KMS)
- Bring Your Own Key (BYOK) on AWS for full control
Key points:
- Encryption type is selected only when creating a cluster
- Each cluster can have its own key
- The key applies to all workloads and persists across updates
- View encryption details in Cluster Details on the Console Overview tab
note
Backups use default provider GCP encryption.
Encryption types
| Type | Managed by | Notes |
|---|---|---|
| Provider (default) | FIPS 140-2 validated encryption module (certificate 4407) | |
| Software key | Camunda | Google KMS software protection; operations in software; FIPS 140-2 Level 1; zero downtime rotation |
| Hardware key | Camunda | Google KMS hardware (HSM) protection; FIPS 140-2 Level 3; operations in HSM; zero downtime rotation |
| BYOK | Customer | AWS KMS key; full control over lifecycle, rotation, and revocation; enterprise only |
Provider encryption key
Default option, managed by Google. Uses FIPS 140-2 validated module.
info
Learn more about Google default encryption
Camunda-managed keys
Software key
- Managed by Camunda using Google KMS
- FIPS 140-2 Level 1
- Operations in software
- Zero downtime rotation
Hardware key
- Managed by Camunda using Google KMS
- FIPS 140-2 Level 3
- Operations in HSM
- Zero downtime rotation
Bring Your Own Key (BYOK)
Enterprise customers on AWS can use their own AWS KMS key.
- You manage the key lifecycle, including rotation and revocation
- Camunda never stores the key; access via standard AWS KMS integrations
- Zero downtime rotation supported
See BYOK setup guide for configuration.