Skip to main content
This guide covers what to do if you need to disable your encryption key as part of a security incident — and exactly what happens to Parable services when you do.

​
Scenario: you disable your key at 2 AM

​
What happens immediately

When you disable a key version, GCP stops honoring encrypt/decrypt requests for that version within seconds. Here’s the cascade:
TimeWhat happens
T+0sKey disabled in GCP KMS
T+5–30sIn-flight Parable API requests that require decryption start returning 500 errors
T+60sParable’s background services detect the key failure and stop retrying
T+2–5mConnector ingestion jobs fail with KMS_KEY_DISABLED error
T+5mParable on-call receives an alert about key failures (we monitor decryption errors)
Your dashboards will show errors until the key is re-enabled. No data is lost — encrypted data remains intact on disk, inaccessible until the key is available again.

​
Parable will not re-enable your key without authorization

Parable’s application service accounts can only use keys (encrypt/decrypt), not manage them. Parable’s infrastructure administrators have broader access for operational purposes, but will never re-enable your key without your explicit written authorization.

​
Recovery: re-enabling the key

1

Sign in to GCP Console

Sign in using your federated sign-in link or Google account (see Key Management for sign-in details), then navigate to your keyring: Security → Key Management → tenant-{your-slug}-kms.
2

Re-enable the key version

Find the disabled version, click the three-dot menu → Enable.Confirm in the dialog. The status changes to Enabled immediately.
3

Services recover automatically

Parable’s services retry failed operations and resume normal function within 60 seconds — no action needed on your end and no need to contact support unless issues persist after 5 minutes.
4

Check for stuck ingestion jobs

Ingestion jobs that failed mid-run will not automatically retry. In Parable, go to Connectors and manually trigger a sync for any connectors showing errors.

​
Checklist: disabling your key

Use this checklist before disabling your key in a security incident:
  1. Notify your Parable account manager or email support@askparable.com — we can help triage whether KMS disable is the right response
  2. Note the current time — you’ll need it for audit log review later
  3. Disable the key in GCP Console (see Key Management)
  4. Confirm Parable services show errors (expected) — verify at least one API call fails
  5. Document the incident and gather audit logs for the period before the disable
  6. When the incident is resolved, re-enable the key (steps above)
  7. Trigger manual syncs for any connectors that failed during the outage

​
Frequently asked questions

Can Parable access my data when my key is disabled? No. When the key is disabled, GCP refuses all decrypt operations — including those from Parable’s service accounts. Your data is inaccessible to everyone, including Parable. Will disabling my key affect other Parable customers? No. Each customer has their own isolated keyring. Disabling your key only affects your organization. What if I schedule my key for destruction by mistake? You have a minimum 24-hour window to cancel scheduled destruction. Navigate to the key version and click Cancel destruction immediately. Contact support@askparable.com for guidance. See also the full FAQ.