This page covers how Writer encrypts data at rest and how organization admins can control encryption keys, manage scopes, and connect an external KMS for bring-your-own-key (BYOK) encryption.Documentation Index
Fetch the complete documentation index at: https://dev.writer.com/llms.txt
Use this file to discover all available pages before exploring further.
Encryption is available on Enterprise plans. Organization admins can manage
encryption settings in AI Studio > Admin Settings > Encryption.
How encryption works
Writer uses envelope encryption. A Data Encryption Key (DEK) encrypts the data, and a Key Encryption Key (KEK) wraps the DEK. The KEK never touches the data directly. Depending on your enrollment mode, the KEK resides in either Writer’s KMS or your own. Encryption requests flow through the following steps:- Data write: Writer Agent sends data to the EKM service for encryption
- DEK generation: The EKM service generates a unique DEK for the scope
- Key wrapping: The DEK is sent to the KMS (Writer’s or yours) where the KEK wraps it, producing an encrypted DEK (eDEK)
- Storage: Writer encrypts the data with the DEK, discards the DEK from memory, and stores the eDEK alongside the encrypted data
- Data read: To decrypt, Writer sends the eDEK back to the KMS for unwrapping, decrypts the data, then discards the DEK from memory
Supported BYOK providers
Writer supports BYOK with the following KMS providers:| Provider | Service |
|---|---|
| AWS | AWS KMS |
| Azure | Azure Key Vault |
| GCP | GCP Cloud KMS |
Encryption tiers
Default encryption is included on all plans. Writer-managed and BYOK tiers are available on Enterprise plans at no additional cost.| Default (all plans) | Writer-managed (Enterprise) | BYOK (Enterprise) | |
|---|---|---|---|
| What’s encrypted | Agent credentials, MCP secrets | All default-tier data plus Playbooks, Skills, and Writer Agent files, messages, and threads | Same as Writer-managed |
| KEK ownership | Writer | Writer | Customer |
| KEK storage | Writer KMS | Writer KMS (AWS or GCP) | Customer KMS (AWS, Azure, or GCP) |
| Revocation | Not available | DEK: self-service; KEK: not available | Fully self-service (DEK and KEK) |
| Audit trail | Writer audit logs | Writer audit logs | Writer audit logs + customer KMS logs |
Encryption currently covers Writer Agent, Connectors, Playbooks, and Skills.
Custom agents and no-code agents are not yet covered.
Scopes
Writer organizes encrypted data into hierarchical scopes, each with its own DEK:- Organization: Top-level scope covering all encrypted data.
- Team: Groups Writer Agent data by team.
- Thread: Each Writer Agent session gets an isolated DEK.
- MCP connector: All connector secrets share a single scope.
For Writer-managed encryption, organization-scope revocation requires
contacting support to prevent accidental data
loss. With BYOK, all scope levels are fully self-service.
Key actions
Organization admins can perform the following actions from the encryption page in AI Studio.| Action | Effect | Reversible |
|---|---|---|
| Pause | All decryption requests fail immediately, making data temporarily inaccessible until the key is re-enabled. The key and all wrapped DEKs remain intact. | Yes |
| Resume | Restores access to a paused scope. | N/A |
| Revoke | Decryption fails permanently. Depending on your KMS, revocation may mean disabling or scheduling deletion. | No |
| Rotate | Creates a new KEK version and re-wraps all DEKs under it. The old key can be retained for legacy data or decommissioned per your policy. No downtime. | N/A |
BYOK controls
With BYOK, your customer-managed key (CMK) acts as the KEK and never leaves your cloud provider. Beyond scope-level actions, you can control Writer’s access to all encrypted data directly from your KMS console:- Disable your CMK: All decrypt operations across your organization fail immediately. Re-enabling the key restores access.
- Delete your CMK: All decrypt operations fail permanently. This is irreversible.
Next steps
- Set up BYOK encryption to connect your own KMS
- Configure guardrails to enforce content safety and compliance policies
- Configure plugins to stream telemetry and security data to your monitoring platforms