# Encryption at rest DataBrew supports data encryption at rest for DataBrew projects and jobs. Projects and jobs can read encrypted data, and jobs can write encrypted data by calling [Amazon Key Management Service (Amazon KMS)](https://aws.amazon.com/kms/) to generate keys and decrypt data. You can also use KMS keys to encrypt the job logs that are generated by DataBrew jobs. You can specify encryption keys using the DataBrew console or the DataBrew API. **Important** Amazon Glue DataBrew supports only symmetric Amazon KMS keys. For more information, see [Amazon KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in the *Amazon Key Management Service Developer Guide*. When you create jobs in DataBrew with encryption enabled, you can use the DataBrew console to specify S3-managed server-side encryption keys (SSE-S3) or KMS keys stored in Amazon KMS (SSE-KMS) to encrypt data at rest. **Important** When you use an Amazon Redshift dataset, objects unloaded to the provided temporary directory are encrypted with SSE-S3.