• Security
  • Data Encryption Policies

Data Encryption Policies

This page outlines how Rockset encrypts and protects your data.

#Data Encryption in Flight

Data in flight from customers to Rockset and from Rockset back to customers is encrypted through Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates, which are created and managed by AWS Certificate Manager. An AWS application load balancer terminates SSL connections to our API endpoint.

Within Rockset’s Virtual Private Cloud (VPC), data is transmitted unencrypted between Rockset’s internal services. Unencrypted data will never be sent outside of Rockset’s VPC.

#Data Encryption at Rest

Data is persisted in three places within Rockset:

  1. In a log buffer service on encrypted AWS EBS volumes. Rockset uses this log buffer as transient storage to independently scale data indexing (writes) and data serving (reads).
  2. On Rockset's servers, which have local solid state drives which are encrypted through dm-crypt. The configuration is based on this article.
  3. In AWS S3, where all stored objects are encrypted.

In all cases, the encryption keys are managed by AWS Key Management Service (KMS). The master keys never leave the KMS hardware, so they are never exposed to anyone, including Rockset.

#Advanced Encryption with User-Controlled Keys

Rockset uses AWS KMS to make it easy for you to create and manage keys and control the use of encryption. With advanced encryption, you may use your own key which allows you to control the encryption and delete the key if needed.

  • For evaluation accounts, master keys used are created in Rockset's AWS account.
  • For commercial installations, Rockset allows customers to provide their own KMS master key to be used for encryption.

All customer API keys and integration credentials are stored in a secure administrative database that is encrypted at rest.