Customer-Managed Keys

Learn about customer-managed keys for your Business Critical account.

IMPORTANT: You must have a Business Critical plan to use customer-managed keys.

With customer-managed keys, you control the master key that Fivetran uses to encrypt your credentials and temporary data. You can disable access to the key at any time to stop Fivetran from accessing your data. You can re-enable the key at any point later and resume syncs.

Fivetran uses keys from one of the following key management services (KMSs) to power this feature:

• AWS Key Management Service
• Azure Key Vault
• Google's Cloud Key Management Service

See our Data and Credential Encryption documentation to learn how Fivetran uses customer-managed keys to encrypt data and credentials.

Setup guide

Customer-managed keys require additional setup. See the setup guide for your chosen provider:

• AWS customer-managed keys setup guide
• Azure customer-managed keys setup guide
• Google Cloud Platform (GCP) customer-managed key setup guide

Compromised keys

If you think your existing key has been compromised, do not delete the key before you have configured the new key to use with Fivetran. If you delete the compromised key, all connectors in the destination that use credentials encrypted by that key will break.

Instead, do the following to correct your compromised key:

1. Revert the encryption with the current key.

   

2. Create a new key. That implies rotating the compromised key manually in AWS KMS or Azure Key Vault.

3. Set up the new key in your Fivetran account settings.