Skip to main content
Customer-Managed Encryption Keys (CMEK) is available on Enterprise plans. Contact support@askparable.com to enable it for your organization.

What is CMEK?

By default, Parable encrypts your data at rest using Google-managed keys. With Customer-Managed Encryption Keys (CMEK), you control the encryption keys used to protect your data — stored in your Google Cloud KMS keyring. This gives you the ability to:

Rotate Keys

Generate new key versions on your schedule. New data is encrypted with the latest version; existing data remains readable under previous versions.

Disable Access

Disable your key to immediately revoke Parable’s ability to decrypt your data — even in an emergency.

Audit Every Operation

Google Cloud Audit Logs record every encrypt and decrypt operation with full identity context.

Schedule Key Destruction

Schedule key versions for destruction after a 24-hour waiting period (GCP-enforced).

What Parable controls vs. what you control

ParableYou
KMS keyring creation✓ Created during provisioning
Keyring locationSet to your data region
Key rotationAutomatic every 90 daysCan manually trigger anytime
Encrypt / decrypt✓ Application service accounts use keys to process your data
Key disable / enableInfrastructure admins retain access for operational purposes but will never act without your written authorization✓ Can disable or enable at any time
Key destructionInfrastructure admins retain access for operational purposes but will never act without your written authorization✓ Can schedule destruction
Audit log accessInternal monitoring✓ Read-only access to your keyring’s audit logs via scoped log view
Disabling your key immediately stops all Parable services from accessing your data. Ingestion jobs will fail, and dashboards will return errors until you re-enable the key. See Incident Response for the full impact guide.

Accessing your keyring

Your keyring lives in Parable’s GCP project. Parable supports two ways to sign in to GCP Console and manage your keys:
  • Corporate SSO (recommended) — Sign in with your existing identity provider (Okta, Azure AD, JumpCloud, etc.) via a federated sign-in link. No Google account needed. Your IT admin controls who has access through your IdP.
  • Google account — If your organization uses Google Workspace, sign in directly with your Google account.
During onboarding, Parable configures your preferred access method and provides direct links to your keyring and audit logs.

Your keyring in GCP

When Parable provisions your account, we create a dedicated KMS keyring for you in Parable’s GCP project. You receive IAM access to your keyring only — you cannot see other customers’ keyrings, and they cannot see yours.
  • Keyring name: tenant-{your-slug}-kms
  • Location: Same region as your data (e.g., us-east1)
  • Keys in the keyring:
    • main — Symmetric key for encrypting data at rest (auto-rotates every 90 days)
    • credential-encryption — Asymmetric key for encrypting connector credentials in transit

Getting started

SSO Setup

Configure your identity provider for GCP Console access

Key Management

Rotate, disable, enable, and schedule key destruction

Audit Logs

View encryption activity in Cloud Logging

Incident Response

What to do if you need to disable your key at 2 AM