When organizations consider using a managed data integration service like Fivetran, data security is often top of mind. Many security teams, particularly in financial services and healthcare, need to maintain control over how their most sensitive data is encrypted within the data pipelines their organization uses.

Our new security feature, customer-managed keys, allows AWS customers to control the master key that Fivetran uses to encrypt credentials and temporary data. With the press of a button, security teams can disable access to the key and stop Fivetran from syncing data; keys can be re-enabled at any time to restart syncs. To power this feature, we use multi-region AWS Key Management Service (KMS).

How customer-managed keys enhance security

By owning and managing the master key used for encryption, you gain full control over the sensitive credentials used in your data pipelines. This is important when your security team needs to push a “big red button” in case of a data breach or other security event. The customer-managed key can be disabled at any time, causing all Fivetran operations to cease, and Fivetran will not be able to unencrypt any sensitive credentials.

Customer-managed keys provide another layer of security and control on top of the industry-leading data security offered by every Fivetran plan level. Here's a look at the architecture:

Setting up customer-managed keys is simple

It’s very easy to set up customer-managed keys. Just configure a key and role in AWS KMS, and enter the key details into your Fivetran dashboard. After setup, any existing and future credentials in the Fivetran system will be encrypted using our internal keys, as well as the AWS KMS key owned by you.

At the start of every sync, Fivetran will reach out to AWS KMS to fetch and use your customer-managed key to disable the credentials needed to access your source and destination systems. Any time that key is disabled by you, Fivetran will no longer be able to unencrypt your credentials, and syncs will stop completely.

You can find a complete setup guide in our documentation.

Remember, Fivetran has no way of accessing your unencrypted data unless you explicitly approve it — as part of a request for troubleshooting assistance, for example. For more information, see Grant Support Access in our documentation.

Getting started with customer-managed keys

Customer-managed keys are available with Fivetran Business Critical, our industry-leading cloud data integration solution for security, data privacy and regulatory compliance. Reach out to our sales team to get started.

The customer-managed keys feature is just one of many security and compliance capabilities we offer to protect your sensitive data. Take a look at our security white paper to learn more.