Doppler encrypts and secures your secrets data at rest through a mechanism called tokenization, which ensures our systems only store cryptographic references to your secrets. This is so in the unlikely event of a breach, attackers would only gain access to the secret references (tokens).
Doppler's Enterprise Key Management (EKM) enables a customer-controlled encryption key to be used for encrypting and decrypting secrets an additional time. The EKM encryption key itself is persisted in your cloud KMS.
- Enterprise subscription with EKM activated
- Privileged AWS or GCP access to create a new sub-account
- Advanced level of experience with IAM user permissions and AWS/GCP secrets manager usage
Migrating back to using Doppler's encryption and tokenization service is as simple as disabling EKM and clicking Save. As this operation is atomic, secret tokenization requests will continue to be fetched from your EKM secrets manager until the migration is complete.
Please ensure that you do not revoke the IAM credentials or KMS key until the migration back has completed.
Azure Key Vault is on our roadmap
EKM is designed to allow customers to control the encryption key used as part of the tokenization process. While the encryption key is persisted in your cloud's secret manager, the sealed secrets data still resides on Doppler's infrastructure.
Updated 5 months ago