Enterprise Key Management

Use a customer-controlled encryption key to enable tokenization in your cloud secrets manager.


Requires an upgraded subscription

This feature is exclusive to our Enterprise Plan. Book a demo to see it in action.

Doppler encrypts and secures your secrets data at rest through a mechanism called tokenization, which ensures our systems only store cryptographic references to your secrets. This is so in the unlikely event of a breach, attackers would only gain access to the secret references (tokens).

Doppler's Enterprise Key Management (EKM) enables a customer-controlled encryption key to be used for encrypting and decrypting secrets an additional time. The EKM encryption key itself is persisted in your cloud KMS.


  • Enterprise subscription with EKM activated
  • Privileged AWS or GCP access to create a new sub-account
  • Advanced level of experience with IAM user permissions and AWS/GCP secrets manager usage

EKM Providers

Reverting back to Doppler's Secret Storage

Migrating back to using Doppler's encryption and tokenization service is as simple as disabling EKM and clicking Save. As this operation is atomic, secret tokenization requests will continue to be fetched from your EKM secrets manager until the migration is complete.


Please ensure that you do not revoke the IAM credentials or KMS key until the migration back has completed.


Are you planning on supporting other Cloud Providers?

Azure Key Vault is on our roadmap

Does Doppler still store my secrets data if using EKM?

EKM is designed to allow customers to control the encryption key used as part of the tokenization process. While the encryption key is persisted in your cloud's secret manager, the sealed secrets data still resides on Doppler's infrastructure.