> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devin.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Customer Managed Keys
> Use your own AWS KMS key to encrypt data at rest in your Devin Enterprise Dedicated deployment.
## Overview
By default, Cognition encrypts all customer data at rest using Cognition-managed keys. For organizations that require direct control over their encryption keys, Devin supports **Customer Managed Keys (CMK)** using [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/).
With CMK, you provide your own AWS KMS key, and Cognition uses it to encrypt data stored in your dedicated tenant — including session data and VM snapshots. This gives you full control over the key lifecycle, including the ability to rotate, disable, or revoke access at any time.
CMK is available exclusively for **Enterprise Dedicated** deployments and must be configured during initial deployment setup. For more information on deployment models, see [Enterprise Deployment](/enterprise/deployment/overview).
## How It Works
In an Enterprise Dedicated deployment, Devin stores customer data in Amazon S3 buckets within your dedicated tenant. When CMK is enabled:
1. Your AWS KMS key is used for **server-side encryption** of all data written to these S3 buckets.
2. Cognition's infrastructure uses the key to encrypt data at write time and decrypt it at read time.
3. You retain ownership of the key in your own AWS account and can manage its lifecycle independently.
If you do not provide a KMS key, Cognition creates and manages an encryption key on your behalf.
## Prerequisites
Before setting up CMK, ensure you have:
* An **Enterprise Dedicated** deployment with Cognition (CMK must be configured during initial deployment)
* An **AWS KMS key** in the **same AWS region** as your Devin deployment
* Permissions to modify your KMS key policy
Contact your Cognition account team to confirm the AWS region of your dedicated tenant.
## Setup
### Step 1: Create or Select a KMS Key
Use an existing symmetric AWS KMS key or [create a new one](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the same region as your Cognition dedicated tenant. The key must be a **symmetric encryption key** (the default key type in AWS KMS).
### Step 2: Configure the Key Policy
Update your KMS key policy to allow Cognition's AWS accounts to use the key for encryption and decryption. Add the following statement to your key policy:
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::272506498303:root",
"arn:aws:iam::063509147090:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
```
1. Open the [AWS KMS Console](https://console.aws.amazon.com/kms).
2. Select your key and go to the **Key policy** tab.
3. Choose **Edit**.
4. Add the statement above to the `Statement` array in your existing key policy.
5. Save the policy.
```bash theme={null}
# First, retrieve your current key policy
aws kms get-key-policy \
--key-id \
--policy-name default \
--output text > key-policy.json
# Edit key-policy.json to add the statement above,
# then apply the updated policy
aws kms put-key-policy \
--key-id \
--policy-name default \
--policy file://key-policy.json
```
### Step 3: Provide the Key ARN to Cognition
Send your KMS key ARN to your Cognition account team. The ARN has the following format:
```text theme={null}
arn:aws:kms:::key/
```
Once Cognition receives your key ARN, the team will configure your dedicated tenant to use it for encryption. No further action is required on your part.
## Key Management
### Key Rotation
AWS KMS supports [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) for customer managed keys. When enabled, AWS automatically creates new cryptographic material for your key every year while retaining the old material to decrypt previously encrypted data. Cognition recommends enabling automatic key rotation.
### Revoking Access
You can revoke Cognition's access to your KMS key at any time by removing the policy statement added in [Step 2](#step-2-configure-the-key-policy). Note that revoking access will prevent Cognition from reading or writing encrypted data in your tenant, which will disrupt Devin's functionality until access is restored.
Disabling or deleting your KMS key, or revoking Cognition's access, will make all encrypted customer data in your tenant unreadable. Ensure you understand the implications before making changes to your key or its policy.
### Monitoring Key Usage
You can monitor all usage of your KMS key through [AWS CloudTrail](https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html). CloudTrail logs every API call made to your key, including calls from Cognition's accounts, providing a full audit trail of encryption and decryption operations.
## FAQs
Your KMS key is used to encrypt customer data stored in Amazon S3 within your dedicated tenant, including session data and VM snapshots.
No. Your KMS key must be in the same AWS region as your Devin deployment. Contact your Cognition account team to confirm your tenant's region.
Cognition will create and manage an encryption key on your behalf. All data is still encrypted at rest — CMK simply gives you direct control over the key.
No. CMK is currently available only for Enterprise Dedicated deployments.
Yes. Contact your Cognition account team to update the KMS key ARN for your tenant. Previously encrypted data will remain encrypted with the original key unless re-encrypted.