Skip to main content

Navigating to your keyring

1

Sign in to GCP Console

Parable supports two sign-in methods depending on your organization’s setup:
  • Corporate SSO — Use the federated sign-in link provided by Parable during onboarding. This redirects through your identity provider (Okta, Azure AD, JumpCloud, etc.) — no Google account needed.
  • Google account — If your organization uses Google Workspace, sign in directly at console.cloud.google.com with your Google account.
If you don’t have your sign-in link, contact support@askparable.com.
2

Open your keyring directly

Parable provides a direct link to your keyring during onboarding. Use this link — it takes you straight to your keys without needing to browse the project.
Your access is scoped to your keyring only. You will not be able to list or browse other keyrings in the project.
3

Verify your keys

You should see two keys:
  • main — Symmetric key for encrypting your data at rest (auto-rotates every 90 days)
  • credential-encryption — Asymmetric key for encrypting connector credentials in transit

Key rotation

Key rotation creates a new key version. Existing data encrypted with previous versions remains readable — GCP tracks which version was used for each encryption and decrypts automatically.
1

Select the key

In your keyring, click on the main key.
2

Rotate the key

Click Rotate key in the top toolbar.Review the confirmation dialog and click Rotate key to confirm.
3

Verify the new version

The key list shows the new version as Primary. Previous versions remain Enabled and continue to decrypt data encrypted under them.
Parable automatically rotates your main key every 90 days. Manual rotation creates an additional version ahead of schedule — this does not reset the automatic rotation timer.

Disable a key version

Disabling a key version prevents GCP from using it for any encrypt or decrypt operations. This immediately blocks Parable from accessing data encrypted under that version.
Disabling the primary (current) key version will cause Parable services to fail immediately. Only do this if you intend to stop all data access. See Incident Response for recovery steps.
1

Open the key version

In your keyring, click the key name, then click the three-dot menu on the key version row.
2

Disable the version

Select Disable. Confirm in the dialog.The version status changes to Disabled immediately.

Re-enable a key version

1

Open the disabled key version

Find the version with Disabled status in the key version list.
2

Re-enable

Click the three-dot menu → Enable. Confirm in the dialog.The version status returns to Enabled (or Primary if it was the primary version).
3

Parable services recover automatically

Within 60 seconds, Parable’s services detect the key is available again and resume normal operation. No action required on your end.

Schedule key version destruction

Destroying a key version permanently deletes the key material. This is irreversible. Any data encrypted exclusively by this version becomes permanently unreadable.
Do not destroy the primary key version or any version that encrypted data you still need. Before destroying a version, ensure Parable has re-encrypted all data under a newer version. Contact support@askparable.com before proceeding.
1

Schedule for destruction

Click the three-dot menu on the key version → Schedule destruction.GCP enforces a minimum 24-hour waiting period before the key material is deleted. You can cancel during this window.
2

Cancel if needed

If you change your mind, click Cancel destruction before the waiting period expires.