Encryption Key Management (EKM)

Who can use this feature

IT and org admins on enterprise plans can view and manage encryption

What's included in this article?

What is EKM and BYOK?

Encryption Key Management (EKM) gives your organization full control over the encryption keys that protect your data at rest on WRITER. With Bring Your Own Key (BYOK), you manage your own top-level master key in your existing cloud Key Management Service (KMS) — whether AWS, GCP, or Azure — instead of relying on WRITER-managed keys.

This helps your organization meet data residency, compliance, and IT policy requirements by ensuring you retain authority over who can access your encrypted data and when.

For full technical details on architecture, setup, and key management operations, see our dev docs here.

What's covered by encryption

Encryption Key Management (EKM) lets your organization control the encryption keys that protect your data at rest on WRITER. There are three tiers:

  • Default (all plans): Agent credentials and MCP secrets are always encrypted.
  • WRITER-managed (Enterprise): Extends encryption to playbooks, skills, and WRITER Agent files, messages, and threads — with WRITER managing the master key.
  • BYOK (Enterprise): Same coverage as WRITER-managed, but you connect and manage your master key from your cloud KMS (AWS, Azure, or GCP).

WRITER uses hierarchical scopes (organization, team, thread, MCP connector, etc.) so you can pause or revoke access to a specific scope without affecting the rest of your organization.

Getting started

EKM/BYOK is available to Organization Admins in AI Studio under Admin settings > Encryption.

For step-by-step setup instructions for AWS, GCP, and Azure, see our dev docs here.

⚠️ Note: Revoking a key is a destructive, irreversible operation that permanently removes access to the encrypted data. Always consider using Pause first, it's non-destructive and can be undone.

FAQs

What is the difference between EKM and BYOK?

EKM (Enterprise Key Management) is the framework for managing encryption key lifecycles. BYOK (Bring Your Own Key) is the implementation mode that lets you supply your own master key from your cloud KMS, rather than using a WRITER-managed key.

Who can enable EKM/BYOK?

Org and IT Admins on Enterprise subscriptions. Other users can access the Encryption settings only after an Organization Admin grants them the required permission.

What are the Pause, Resume, and Revoke actions?

Pause temporarily prevents access to encrypted content without deleting any data — useful during a security investigation. Resume restores access. Revoke permanently removes access to the data encrypted by that key and cannot be undone.

Can I target a single thread or team without affecting the whole workspace?

Yes. WRITER uses nested, granular scopes — you can pause or revoke access at the thread, team, or organization level. Actions cascade down: revoking access to a team automatically affects all content within it.

What cloud KMS providers does WRITER support?

AWS KMS, Google Cloud KMS (GCP), and Azure Key Vault.

Where can I find setup instructions?

Full setup guidance for each cloud provider is available in our dev docs here.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.