Customer-Managed Encryption Keys (CMEK) on Parable — control your own keys, rotate on your schedule, revoke access at any time, and audit every operation.
Customer-Managed Encryption Keys (CMEK) is available on Enterprise plans. Contact support@askparable.com to enable it for your organization.
By default, Parable encrypts your data at rest using Google-managed keys. With Customer-Managed Encryption Keys (CMEK), you control the encryption keys used to protect your data — stored in your Google Cloud KMS keyring.This gives you the ability to:
Rotate Keys
Generate new key versions on your schedule. New data is encrypted with the latest version; existing data remains readable under previous versions.
Disable Access
Disable your key to immediately revoke Parable’s ability to decrypt your data — even in an emergency.
Audit Every Operation
Google Cloud Audit Logs record every encrypt and decrypt operation with full identity context.
Schedule Key Destruction
Schedule key versions for destruction after a 24-hour waiting period (GCP-enforced).
✓ Application service accounts use keys to process your data
—
Key disable / enable
Infrastructure admins retain access for operational purposes but will never act without your written authorization
✓ Can disable or enable at any time
Key destruction
Infrastructure admins retain access for operational purposes but will never act without your written authorization
✓ Can schedule destruction
Audit log access
Internal monitoring
✓ Read-only access to your keyring’s audit logs via scoped log view
Disabling your key immediately stops all Parable services from accessing your data. Ingestion jobs will fail, and dashboards will return errors until you re-enable the key. See the Incident Response tab below for the full impact guide.
When Parable provisions your account, we create a dedicated KMS keyring for you in Parable’s GCP project. You receive IAM access to your keyring only — you cannot see other customers’ keyrings, and they cannot see yours.
Keyring name:tenant-{your-slug}-kms
Location: Same region as your data (e.g., us-east1)
Keys in the keyring:
main — Symmetric key for encrypting data at rest (auto-rotates every 90 days)
credential-encryption — Asymmetric key for encrypting connector credentials in transit
Parable supports two sign-in methods to reach GCP Console:
Corporate SSO (recommended) — Sign in with your existing identity provider (Okta, Azure AD, JumpCloud, etc.) via a federated sign-in link. No Google account needed. Your IT admin controls access through your IdP. See the SSO Setup tab.
Google account — If your organization uses Google Workspace, sign in directly with your Google account.
During onboarding, Parable configures your preferred access method and provides direct links to your keyring and audit logs.
SSO Setup
Key Management
Incident Response
FAQ
During CMEK onboarding, your IT admin creates an SSO application in your identity provider so your team can access GCP Console to manage encryption keys and view audit logs. This tab gives your IT admin everything they need.
Parable provides the values marked from Parable during onboarding. If you don’t have them yet, contact support@askparable.com.
Create a new Custom OIDC application in your identity provider with these settings:
Setting
Value
App name
Parable CMEK Access (or any name your team prefers)
Redirect URI
Provided by Parable
Login URL
Provided by Parable
Grant type
Authorization Code
Client authentication
Client Secret Basic
Scopes
openid, profile, email
1
Create the OIDC application
In your IdP admin console, create a new custom OIDC application. Enter the Redirect URI and Login URL provided by Parable.
2
Assign users or groups
Assign the users or groups who should have access to your encryption keys. Anyone assigned to this application can sign in — you can add or remove users at any time without contacting Parable.
3
Send credentials to Parable
Share the following with your Parable contact (via a secure channel such as 1Password or your organization’s preferred method):
Client ID
Client Secret
Issuer URL (e.g. https://your-org.okta.com/ or https://oauth.id.jumpcloud.com/)
4
Parable completes configuration
Parable configures the federation and sends you back:
A sign-in link for GCP Console
A direct link to your encryption keyring
A direct link to your audit logs
Your team can also access GCP Console from the app in your IdP’s portal.
Okta
Go to Applications → Create App Integration → OIDC - OpenID Connect → Web Application
Set the Sign-in redirect URI to the Redirect URI from Parable
Under Assignments, assign the relevant users or groups
Copy the Client ID and Client Secret from the app’s General tab
Your Issuer URL is https://your-org.okta.com/
Azure AD (Microsoft Entra ID)
Go to App registrations → New registration
Set the Redirect URI (Web) to the Redirect URI from Parable
Under Certificates & secrets, create a new client secret
Copy the Application (client) ID and the secret value
Your Issuer URL is https://login.microsoftonline.com/{tenant-id}/v2.0
JumpCloud
Go to SSO Applications → Add New Application → Custom OIDC App
Set Redirect URI and Login URL from Parable
Set Client Authentication Type to Client Secret Basic
Create a new Custom SAML application in your identity provider with these settings:
Setting
Value
App name
Parable CMEK Access (or any name your team prefers)
SP Entity ID (Audience)
Provided by Parable
ACS URL (Reply URL)
Provided by Parable
Login URL
Provided by Parable
NameID Format
Email or Persistent
Your SAML application must have the HTTP-Redirect binding enabled. GCP requires this for browser-based single sign-on. In most IdPs, this is a checkbox like “Declare Redirect Endpoint” or “Enable HTTP-Redirect binding.”
1
Create the SAML application
In your IdP admin console, create a new custom SAML application. Enter the SP Entity ID, ACS URL, and Login URL provided by Parable.Make sure to enable the HTTP-Redirect SSO binding (not just HTTP-POST).
2
Assign users or groups
Assign the users or groups who should have access to your encryption keys. Anyone assigned to this application can sign in — you can add or remove users at any time without contacting Parable.
3
Send metadata to Parable
Share your IdP Metadata XML with Parable. This is typically available as:
A metadata URL (e.g. https://sso.jumpcloud.com/saml2/metadata/...) — preferred
A downloadable XML file from your IdP’s app settings
4
Parable completes configuration
Parable configures the federation and sends you back:
A sign-in link for GCP Console
A direct link to your encryption keyring
A direct link to your audit logs
Your team can also access GCP Console from the app in your IdP’s portal.
Okta
Go to Applications → Create App Integration → SAML 2.0
Set Single sign-on URL to the ACS URL from Parable
Set Audience URI (SP Entity ID) to the SP Entity ID from Parable
Under SAML Settings → Show Advanced Settings, ensure Response is set to Signed
Under Assignments, assign the relevant users or groups
Copy the Metadata URL from the app’s Sign On tab
Azure AD (Microsoft Entra ID)
Go to Enterprise applications → New application → Create your own application → Non-gallery
Under Single sign-on → SAML, set:
Identifier (Entity ID) to the SP Entity ID from Parable
Reply URL (ACS URL) to the ACS URL from Parable
Download the Federation Metadata XML from the SAML Signing Certificate section
Assign users or groups under Users and groups
JumpCloud
Go to SSO Applications → Add New Application → Custom SAML App
Set IdP Entity ID to a unique identifier (e.g. https://jumpcloud.com/parable-customer-{slug})
Set SP Entity ID and ACS URL from Parable
Enable Declare Redirect Endpoint (required by GCP)
Assign your test user or group
Copy the Metadata URL from the app’s SSO tab (e.g. https://sso.jumpcloud.com/saml2/metadata/...)
You control access. Add or remove users from the SSO application in your IdP at any time. Changes take effect immediately — no Parable involvement needed.
No Google account required. Your team signs in with their existing corporate credentials.
No Terms of Service to accept. Federated users are temporary users of Parable’s GCP project, covered by Parable’s existing agreement with Google.
Parable supports two sign-in methods depending on your organization’s setup:
Corporate SSO — Use the federated sign-in link provided by Parable during onboarding. This redirects through your identity provider (Okta, Azure AD, JumpCloud, etc.) — no Google account needed.
Google account — If your organization uses Google Workspace, sign in directly at console.cloud.google.com with your Google account.
Parable provides a direct link to your keyring during onboarding. Use this link — it takes you straight to your keys without needing to browse the project.
Your access is scoped to your keyring only. You will not be able to list or browse other keyrings in the project.
3
Verify your keys
You should see two keys:
main — Symmetric key for encrypting your data at rest (auto-rotates every 90 days)
credential-encryption — Asymmetric key for encrypting connector credentials in transit
Key rotation creates a new key version. Existing data encrypted with previous versions remains readable — GCP tracks which version was used for each encryption and decrypts automatically.
1
Select the key
In your keyring, click on the main key.
2
Rotate the key
Click Rotate key in the top toolbar.Review the confirmation dialog and click Rotate key to confirm.
3
Verify the new version
The key list shows the new version as Primary. Previous versions remain Enabled and continue to decrypt data encrypted under them.
Parable automatically rotates your main key every 90 days. Manual rotation creates an additional version ahead of schedule — this does not reset the automatic rotation timer.
Disabling a key version prevents GCP from using it for any encrypt or decrypt operations. This immediately blocks Parable from accessing data encrypted under that version.
Disabling the primary (current) key version will cause Parable services to fail immediately. Only do this if you intend to stop all data access. See the Incident Response tab for recovery steps.
1
Open the key version
In your keyring, click the key name, then click the three-dot menu on the key version row.
2
Disable the version
Select Disable. Confirm in the dialog.The version status changes to Disabled immediately.
Destroying a key version permanently deletes the key material. This is irreversible. Any data encrypted exclusively by this version becomes permanently unreadable.
Do not destroy the primary key version or any version that encrypted data you still need. Before destroying a version, ensure Parable has re-encrypted all data under a newer version. Contact support@askparable.com before proceeding.
1
Schedule for destruction
Click the three-dot menu on the key version → Schedule destruction.GCP enforces a minimum 24-hour waiting period before the key material is deleted. You can cancel during this window.
2
Cancel if needed
If you change your mind, click Cancel destruction before the waiting period expires.
Every encrypt, decrypt, and key management operation on your KMS keys is recorded in Google Cloud Audit Logs. You have read-only access to a dedicated log view that contains only your organization’s KMS operations — no other customer’s data is visible.
1
Open Cloud Logging
Sign in to GCP Console using your federated sign-in link or Google account (see the steps above). Then go to Logging → Logs Explorer. You can find it under the Observability section in the left navigation, or by searching for “Logs Explorer” in the top search bar.
2
Select your log view
Click Refine scope (near the top of the query panel) → Log view → select tenant-{your-slug}-kms-audit.
3
Run the query
Click Run query. You’ll see log entries for every KMS operation on your keys. All results are scoped to your organization.
Who or what service account performed the operation
protoPayload.resourceName
The full resource path of the key version used
timestamp
When the operation occurred
protoPayload.response.name
The key version name that was used
KMS Data Access audit logs (encrypt/decrypt operations) are enabled on the Parable project. Key management events (rotations, disables, destruction) are logged as Admin Activity and are always on.
To receive exports of your KMS audit logs for your SIEM or compliance records, contact support@askparable.com.
This tab covers what to do if you need to disable your encryption key as part of a security incident — and exactly what happens to Parable services when you do.
When you disable a key version, GCP stops honoring encrypt/decrypt requests for that version within seconds. Here’s the cascade:
Time
What happens
T+0s
Key disabled in GCP KMS
T+5–30s
In-flight Parable API requests that require decryption start returning 500 errors
T+60s
Parable’s background services detect the key failure and stop retrying
T+2–5m
Connector ingestion jobs fail with KMS_KEY_DISABLED error
T+5m
Parable on-call receives an alert about key failures (we monitor decryption errors)
Your dashboards will show errors until the key is re-enabled. No data is lost — encrypted data remains intact on disk, inaccessible until the key is available again.
Parable will not re-enable your key without authorization
Parable’s application service accounts can only use keys (encrypt/decrypt), not manage them. Parable’s infrastructure administrators have broader access for operational purposes, but will never re-enable your key without your explicit written authorization.
Sign in using your federated sign-in link or Google account, then navigate to your keyring: Security → Key Management → tenant-{your-slug}-kms.
2
Re-enable the key version
Find the disabled version, click the three-dot menu → Enable.Confirm in the dialog. The status changes to Enabled immediately.
3
Services recover automatically
Parable’s services retry failed operations and resume normal function within 60 seconds — no action needed on your end and no need to contact support unless issues persist after 5 minutes.
4
Check for stuck ingestion jobs
Ingestion jobs that failed mid-run will not automatically retry. In Parable, go to Connectors and manually trigger a sync for any connectors showing errors.
Can Parable access my data when my key is disabled?
No. When the key is disabled, GCP refuses all decrypt operations — including those from Parable’s service accounts. Your data is inaccessible to everyone, including Parable.
Will disabling my key affect other Parable customers?
No. Each customer has their own isolated keyring. Disabling your key only affects your organization.
What if I schedule my key for destruction by mistake?
You have a minimum 24-hour window to cancel scheduled destruction. Navigate to the key version and click Cancel destruction immediately. Contact support@askparable.com for guidance.
See the FAQ tab for more questions about CMEK.
Do I need a Google account to manage my keys?
Not necessarily. Parable supports two ways to access your keyring in GCP Console:
Corporate SSO (recommended) — Parable configures Workforce Identity Federation so you can sign in with your existing identity provider (Okta, Azure AD, JumpCloud, Ping Identity, or any OIDC or SAML 2.0 IdP). Your IT admin creates an SSO application and provides Parable with the connection details during onboarding. Anyone your IT admin assigns to the application in your IdP gets access automatically — no per-user setup on Parable’s side.
Google account — If your organization already uses Google Workspace, you can access GCP Console directly with your existing Google account. Parable grants access to specific email addresses.
During onboarding, Parable will work with you to determine which option fits your organization best.
What happens to existing data when I rotate my key?
Nothing changes immediately. Data encrypted under the old key version remains readable — GCP tracks which key version encrypted each object and automatically uses the right version to decrypt.Over time, as Parable writes new data (credentials, ingestion results), it uses the new primary key version. Old data is only re-encrypted if Parable explicitly triggers re-encryption, which we do not do automatically.This means both versions remain active (Enabled) in your keyring even after rotation.
Can Parable re-enable a key that I've disabled?
Parable’s application service accounts hold roles/cloudkms.cryptoKeyEncrypterDecrypter, which allows encrypt and decrypt operations but not the ability to enable or disable keys. However, Parable’s infrastructure administrators do have roles/cloudkms.admin access for operational purposes (e.g., disaster recovery, tenant provisioning).In practice, Parable will never re-enable your key without your explicit written authorization.
Can Parable read my credentials if my key is enabled?
Parable only decrypts credentials when processing an ingestion job on your behalf. Every decrypt operation is recorded in Cloud Audit Logs (see Key Management → Audit logs) with the service account identity and timestamp. You have full visibility into every access.
What happens if I destroy a key version?
Destroying a key version permanently deletes the key material. Any data encrypted exclusively by that version becomes permanently unreadable — this cannot be undone.GCP enforces a minimum 24-hour waiting period before destruction completes, giving you time to cancel. If you’ve destroyed a version that Parable still needs, contact support@askparable.com immediately — we may be able to help assess the impact, but data recovery may not be possible.
How often does Parable rotate my key automatically?
The main symmetric key is set to auto-rotate every 90 days. The credential-encryption asymmetric key does not auto-rotate (asymmetric keys require manual version management). You can manually rotate either key at any time from GCP Console.
Does CMEK protect data in transit?
CMEK specifically covers encryption at rest (stored data). Data in transit is always protected with TLS 1.2+ regardless of your CMEK configuration. For credential transport specifically, Parable uses RSA-OAEP-4096 asymmetric encryption via your credential-encryption KMS key — credentials are encrypted client-side before they reach Parable servers.
Is my keyring in my GCP project or Parable's?
Your keyring is in Parable’s GCP project, not in your own GCP project. This is because Parable’s infrastructure services need to perform encrypt/decrypt operations on behalf of your account.You have IAM access to your specific keyring — you cannot see other customers’ keyrings, and other customers cannot see yours. You sign in to GCP Console via your corporate SSO (federated sign-in link) or your Google account, depending on your organization’s setup.
What compliance standards does CMEK help me meet?
CMEK supports compliance requirements around key custody and auditability, including:
SOC 2 — Demonstrates you control access to encrypted data
GDPR / data erasure — Destroying your encryption key is a recognized method of cryptographic erasure
HIPAA / HITRUST — Provides audit trails for all data access operations
ISO 27001 — Supports A.10 (Cryptography) controls
Consult your compliance team to determine whether CMEK satisfies your specific requirements.
How do I find my organization's slug?
Your slug is the URL-safe identifier for your organization. You can find it in Parable’s admin settings, or ask your Parable account manager. It appears in your keyring name: tenant-{your-slug}-kms.
Questions we haven’t covered? Reach out to support@askparable.com or your Parable account manager.
