Skip to main content
Version: 8.7

FAQ & troubleshooting

Frequently asked questions and troubleshooting guidance for encryption at rest, encryption key types, and external AWS KMS encryption keys in Camunda 8 SaaS.

General questions

What is encryption at rest?

Encryption at rest protects data on storage media (disks or backups) from unauthorized access.

note

Applies to both orchestration clusters and Web Modeler in Camunda 8 SaaS.

Which encryption options are available?

  • Provider-managed (default): Cloud provider keys.
  • Camunda-managed software key: Uses Google KMS at software protection level (FIPS 140-2 Level 1).
  • Camunda-managed hardware key: Uses Google KMS HSM (FIPS 140-2 Level 3).
  • External key: Customer-supplied AWS KMS key (AWS only currently).

Full comparison: encryption at rest

When can I choose the encryption type?

Only during cluster creation. It cannot be changed later.

Is encryption at rest enabled by default?

Yes. All clusters use provider-managed encryption by default.

Camunda-managed keys

  • Software vs. hardware: Software uses FIPS 140-2 Level 1, hardware uses FIPS 140-2 Level 3. Both support zero downtime rotation.
  • Backups always use provider-managed keys.

External encryption keys

  • Use your own AWS KMS key to encrypt cluster data. You control rotation and revocation and are responsible for monitoring via AWS CloudTrail and Amazon CloudWatch.
  • Supported on enterprise plans only.
  • Revoking access immediately blocks cluster access; a new key or restored access is required.
  • Camunda does not store your key.

Setup instructions: external encryption setup guide

Other questions

  • Performance: Minimal impact; handled by AWS KMS.
  • Per-cluster keys: Supported.
  • Encryption in transit: TLS enforced.
  • Cost: Charges apply in your AWS account. See cost implications.

Troubleshooting external encryption keys

IssuePossible causeResolution
Cluster cannot access AWS KMS keyKey policy does not grant the Camunda cluster AWS Role accessUpdate the AWS KMS key policy with the correct AWS Role ARN from the Camunda Console.
Encryption/decryption errorsKey disabled, deleted, or in wrong RegionRe-enable, restore, or create a new key in the correct AWS Region.
CloudTrail does not show activityAWS CloudTrail not enabled or retention too shortEnable AWS CloudTrail in the cluster Region and store logs beyond 90 days. View CloudTrail events
Key rotation issuesCluster encryption update not supportedCreate a new key and associate it with a new cluster. Verify encryption settings before use.
Support

For persistent issues with key policies, Region, or key status, contact AWS support.
For Camunda-specific cluster provisioning issues, contact Camunda support.