Customer-Managed Encryption Keys

Customer-Managed Encryption Keys (CMEK) is now Generally Available (GA) and already powering production workloads for our enterprise customers on GCP and AWS. CMEK gives organizations granular control over their data encryption and is designed specifically for teams with stringent security and compliance requirements.

How it works

By default, Chroma manages encryption at rest. With CMEK, you replace our default encryption with your own keys. This guarantees that your data remains opaque to everyone—including Chroma administrators—unless you explicitly authorize access for a specific operation.

With CMEK, instead of Chroma using provider-managed keys, you configure a specific KMS key, grant Chromaʼs storage service account access, and reference that key in the collection schema. All reads and writes to that collection are then transparently encrypted and decrypted via the CSP's native KMS integration.

Enterprise Readiness

CMEK is designed for high-compliance environments and complements our existing security stack, which includes SOC 2 Type II certification, SSO integration, and BYOC support.

Get Started

To enable CMEK for your Chroma deployment, please reach out to our team.