This page covers how Writer encrypts data at rest and how organization admins can control encryption keys, manage scopes, and connect an external KMS for bring-your-own-key (BYOK) encryption.Documentation Index
Fetch the complete documentation index at: https://dev.writer.com/llms.txt
Use this file to discover all available pages before exploring further.
Encryption is available on Enterprise plans. Organization admins can manage
encryption settings in AI Studio > Admin Settings > Encryption.
How encryption works
Writer uses classic envelope encryption with AES-256-GCM. A Data Encryption Key (DEK) encrypts your data, and a Key Encryption Key (KEK)—the master key in KMS—wraps the DEK. The KEK never encrypts application data directly. Depending on enrollment, the KEK is stored in Writer’s KMS or your own. Encryption requests flow through the following steps:- Data write: Writer services send data to the EKM service for encryption
- DEK generation: The EKM service generates a unique DEK for the scope
- Key wrapping: The DEK is sent to the KMS (Writer’s or yours) where the KEK wraps it, producing an encrypted DEK (eDEK)
- Storage: Writer encrypts the data with the DEK using AES-256-GCM and stores the eDEK alongside the encrypted data
- Data read: DEK upon retrieval is cached in memory with a five-minute TTL; when the DEK is not in cache, Writer unwraps the eDEK through the KMS and decrypts; when cached, Writer decrypts without contacting the KMS; Writer clears cached DEKs immediately on pause, revoke, rotate, or when the TTL ends
Supported BYOK providers
Writer supports BYOK with the following KMS providers:| Provider | Service |
|---|---|
| AWS | AWS KMS |
| Azure | Azure Key Vault |
| GCP | GCP Cloud KMS |
Encryption tiers
Default encryption is included on all plans. Writer-managed and BYOK tiers are available on Enterprise plans at no additional cost.| Default (all plans) | Writer-managed (Enterprise) | BYOK (Enterprise) | |
|---|---|---|---|
| What’s encrypted | Agent credentials, MCP secrets | All default-tier data plus Playbooks, Skills, and Writer Agent files, messages, and threads | Same as Writer-managed |
| KEK ownership | Writer | Writer | Customer |
| KEK storage | Writer KMS | Writer KMS (AWS or GCP) | Customer KMS (AWS, Azure, or GCP) |
| Revocation | Not available | DEK: self-service; KEK: not available | Fully self-service (DEK and KEK) |
| Audit trail | Writer audit logs | Writer audit logs | Writer audit logs + customer KMS logs |
Encryption currently covers Writer Agent, Connectors, Playbooks, and Skills.
Custom agents and no-code agents are not yet covered.
Scopes
Writer organizes encrypted data into hierarchical scopes, each with its own DEK:- Organization: Top-level scope covering all encrypted data.
- Team: Groups Writer Agent data by team.
- Thread: Each Writer Agent session gets an isolated DEK.
- MCP connector: All connector secrets share a single scope.
For Writer-managed encryption, organization-scope revocation requires
contacting support to prevent accidental data
loss. With BYOK, all scope levels are fully self-service.
Key actions
Organization admins can perform the following actions from the encryption page in AI Studio.| Action | Effect | Reversible |
|---|---|---|
| Pause | All decryption requests fail immediately, making data temporarily inaccessible until the key is re-enabled. The key and all wrapped DEKs remain intact. | Yes |
| Resume | Restores access to a paused scope. | N/A |
| Revoke | Decryption fails permanently. Depending on your KMS, revocation may mean disabling or scheduling deletion. | No |
| Rotate | Creates a new KEK version and re-wraps all DEKs under it. The old key can be retained for legacy data or decommissioned per your policy. No downtime. | N/A |
BYOK controls
With BYOK, your customer-managed key (CMK) acts as the KEK and never leaves your cloud provider. Beyond scope-level actions, you can control Writer’s access to all encrypted data directly from your KMS console:- Disable your CMK: All decrypt operations across your organization fail immediately. Re-enabling the key restores access.
- Delete your CMK: All decrypt operations fail permanently. This is irreversible.
Next steps
- Set up BYOK encryption to connect your own KMS
- Configure guardrails to enforce content safety and compliance policies
- Configure plugins to stream telemetry and security data to your monitoring platforms