Do I need a Google account to manage my keys?
Do I need a Google account to manage my keys?
Not necessarily. Parable supports two ways to access your keyring in GCP Console:
- Corporate SSO (recommended) — Parable configures Workforce Identity Federation so you can sign in with your existing identity provider (Okta, Azure AD, JumpCloud, Ping Identity, or any OIDC or SAML 2.0 IdP). Your IT admin creates an SSO application and provides Parable with the connection details during onboarding. Anyone your IT admin assigns to the application in your IdP gets access automatically — no per-user setup on Parable’s side.
- Google account — If your organization already uses Google Workspace, you can access GCP Console directly with your existing Google account. Parable grants access to specific email addresses.
What happens to existing data when I rotate my key?
What happens to existing data when I rotate my key?
Nothing changes immediately. Data encrypted under the old key version remains readable — GCP tracks which key version encrypted each object and automatically uses the right version to decrypt.Over time, as Parable writes new data (credentials, ingestion results), it uses the new primary key version. Old data is only re-encrypted if Parable explicitly triggers re-encryption, which we do not do automatically.This means both versions remain active (Enabled) in your keyring even after rotation.
Can Parable re-enable a key that I've disabled?
Can Parable re-enable a key that I've disabled?
Parable’s application service accounts hold
roles/cloudkms.cryptoKeyEncrypterDecrypter, which allows encrypt and decrypt operations but not the ability to enable or disable keys. However, Parable’s infrastructure administrators do have roles/cloudkms.admin access for operational purposes (e.g., disaster recovery, tenant provisioning).In practice, Parable will never re-enable your key without your explicit written authorization.Can Parable read my credentials if my key is enabled?
Can Parable read my credentials if my key is enabled?
Parable only decrypts credentials when processing an ingestion job on your behalf. Every decrypt operation is recorded in Cloud Audit Logs with the service account identity and timestamp. You have full visibility into every access.
What happens if I destroy a key version?
What happens if I destroy a key version?
Destroying a key version permanently deletes the key material. Any data encrypted exclusively by that version becomes permanently unreadable — this cannot be undone.GCP enforces a minimum 24-hour waiting period before destruction completes, giving you time to cancel. If you’ve destroyed a version that Parable still needs, contact support@askparable.com immediately — we may be able to help assess the impact, but data recovery may not be possible.
How often does Parable rotate my key automatically?
How often does Parable rotate my key automatically?
The
main symmetric key is set to auto-rotate every 90 days. The credential-encryption asymmetric key does not auto-rotate (asymmetric keys require manual version management). You can manually rotate either key at any time from GCP Console.Does CMEK protect data in transit?
Does CMEK protect data in transit?
CMEK specifically covers encryption at rest (stored data). Data in transit is always protected with TLS 1.2+ regardless of your CMEK configuration. For credential transport specifically, Parable uses RSA-OAEP-4096 asymmetric encryption via your
credential-encryption KMS key — credentials are encrypted client-side before they reach Parable servers.Is my keyring in my GCP project or Parable's?
Is my keyring in my GCP project or Parable's?
Your keyring is in Parable’s GCP project, not in your own GCP project. This is because Parable’s infrastructure services need to perform encrypt/decrypt operations on behalf of your account.You have IAM access to your specific keyring — you cannot see other customers’ keyrings, and other customers cannot see yours. You sign in to GCP Console via your corporate SSO (federated sign-in link) or your Google account, depending on your organization’s setup.
What compliance standards does CMEK help me meet?
What compliance standards does CMEK help me meet?
CMEK supports compliance requirements around key custody and auditability, including:
- SOC 2 — Demonstrates you control access to encrypted data
- GDPR / data erasure — Destroying your encryption key is a recognized method of cryptographic erasure
- HIPAA / HITRUST — Provides audit trails for all data access operations
- ISO 27001 — Supports A.10 (Cryptography) controls
How do I find my organization's slug?
How do I find my organization's slug?
Your slug is the URL-safe identifier for your organization. You can find it in Parable’s admin settings, or ask your Parable account manager. It appears in your keyring name:
tenant-{your-slug}-kms.