Manage Encryption Keys
Audience: System Administrators
Content Summary: Immuta generates data encryption keys (on a user-defined rollover schedule) to encrypt and decrypt values. This page provides an overview of encryption key management and outlines its configuration options in Immuta.
Use an External Key Management Service
Immuta recommends using an external Key Management Service (KMS) to encrypt or decrypt data keys as needed.
Overview
Immuta encrypts values with data encryption keys, either those that are system-generated or managed using an external key management service (KMS). Immuta recommends a KMS to encrypt or decrypt data keys and supports the AWS Key Management Service. To configure the AWS KMS, complete the steps below.
However, if no KMS is configured Immuta will generate a data encryption key on a user-defined rollover schedule, using the most recent data key to encrypt new values while preserving old data keys to decrypt old values. To change the default rollover schedule of 1 year, follow these steps.
1 - Set Up AWS Credentials
Before you can configure the AWS KMS, you need to set up your AWS credentials. Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.
Set Up an IAM Role
Choose one of the following options to set up an IAM role:
- Attach an IAM role to your AWS EC2 instance.
- If you're running Immuta in Kubernetes (AWS EKS), work with your Immuta Solutions Engineer set up an IAM role.
Adding Credentials in the KMS Configuration (not recommended)
Immuta Cannot Encrypt AWS Access/Secret Keys in KMS Configuration
Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.
Navigate to the App Settings page and add the following configuration (with your AWS
keyId
, region
, and credentials) to the Advanced Configuration section:
plugins:
awsKms:
plugin: awsKms
isKms: true
keyId: <your key id>
region: <your aws region>
extraKmsConfig:
credentials:
accessKeyId: <your access key id>
secretAccessKey: <your secret access key>
sessionToken: <your session token>
Other ways of setting up AWS credentials can be found here.
2 - Configure AWS KMS on the App Settings Page
Add the following configuration (with your AWS region
and keyId
) to the Advanced Configuration section of the
App Settings page.
plugins:
awsKms:
plugin: 'awsKms'
isKms: true
keyId: <your key id>
region: <your aws region>
Optional: Define Rollover Schedule
-
Click the App Settings icon in the left sidebar and scroll to the Advanced Configuration section.
-
Paste the following configuration in the text box, adjusting
dataKeyRollOverLength
days to your desired schedule:schedule: dataKeyRollOverLength: 365