CockroachDB has introduced Customer-Managed Encryption Keys (CMEK) for its managed services, allowing users to control how their data is encrypted using keys from AWS KMS or GCP Cloud Key Management. This feature addresses customer concerns about data management and security when using a Database as a Service (DBaaS), by enabling them to manage the root key for encryption of their data and backups. The encryption process involves a multi-key hierarchical method, where a customer-provided key encrypts a key encryption key (KEK), which then encrypts a data encryption key (DEK) unique to each cluster node. This approach enhances security by allowing customers to rotate keys and revoke access, providing additional safeguards against unauthorized access. CockroachDB accesses the CMEK using cloud-native IAM capabilities, with cross-account roles in AWS and cross-tenant service account delegation in GCP, ensuring secure key management and usage.