Encrypt Confluent Cloud clusters using self-managed keys

You can encrypt data at rest in Dedicated clusters with self-managed keys to ensure only the appropriate entity or user can decrypt it. This provides a greater degree of privacy and data integrity, which is frequently required by government, health, finance, and many other industries.

Confluent Cloud data resides in clusters that you can deploy across multiple components, and each must support privacy and data confidentiality. By default, all Confluent Cloud clusters (Basic, Standard, and Dedicated) in AWS automatically create, manage, and use the encryption key for your Confluent Cloud cluster. If you create the dedicated cluster type, you can optionally choose to self-manage the encryption key. This is also known as BYOK (bring your own key) encryption. This option may be preferable for users who want to use their own key to encrypt data at rest, or who need the option to disable Confluent’s access to data at any time.

Confluent Cloud supports using self-managed encryption keys for Dedicated clusters on the following cloud service providers:

• Amazon Web Services: See Encrypt Confluent Cloud clusters using self-managed keys – Amazon Web Services.