The company behind Milvus, the world’s most widely adopted open-source vector database, today announced the general availability of Customer-Managed Encryption Keys (CMEK) on Zilliz Cloud. The new capability allows enterprises to retain full ownership of their encryption keys, delivering true data sovereignty for AI workloads in regulated industries.
As enterprises embed AI into mission-critical workflows, the sensitivity of the underlying data—customer records, medical images, financial transactions—demands security controls that go beyond standard encryption at rest. Regulatory frameworks such as GDPR, HIPAA, PCI-DSS, and SOC 2 increasingly require organizations to demonstrate exclusive control over their encryption keys, not just the data they protect. For vector database deployments—where embeddings are derived from highly sensitive assets—this requirement is especially acute.
“Security teams in regulated industries don’t just want encryption—they want proof that no one else, including their database vendor, can access their data. CMEK gives enterprises the strongest form of data sovereignty available in a managed service, removing one of the last barriers to deploying AI at scale in healthcare, financial services, and government,” said Charles Xie, Founder and CEO at Zilliz.
Why CMEK Matters for Enterprise AI
CMEK on Zilliz Cloud separates key ownership from data processing, ensuring that Zilliz never possesses or accesses customer encryption keys. Key benefits include:
- True Segregation of Duties: Zilliz processes data while the customer retains exclusive control over encryption keys, creating the clean separation auditors and compliance teams require.
- Instant Revocability: Disabling a key in AWS KMS immediately renders all associated cluster data cryptographically inaccessible—no vendor coordination needed.
- Unified Audit Trails: Every key access event is logged in AWS CloudTrail, integrating directly with existing enterprise security monitoring infrastructure.
Setup takes minutes through the Zilliz Cloud console, with auto-generated IAM policies and support for zero-downtime key rotation.
