1 of 1

Manage Encryption Keys

Immuta generates data encryption keys (on a user-defined rollover schedule) to encrypt and decrypt values. This page provides an overview of encryption key management and outlines its configuration options in Immuta.

Use an external key management service

Immuta recommends using an external Key Management Service (KMS) to encrypt or decrypt data keys as needed.

Overview

Immuta encrypts values with data encryption keys, either those that are system-generated or managed using an external key management service (KMS). Immuta recommends a KMS to encrypt or decrypt data keys and supports the AWS Key Management Service. To configure the AWS KMS, complete .

However, if no KMS is configured Immuta will generate a data encryption key on a user-defined rollover schedule, using the most recent data key to encrypt new values while preserving old data keys to decrypt old values. To change the default rollover schedule of 1 year, follow .

1 - Set Up AWS Credentials

Before you can configure the AWS KMS, you need to set up your AWS credentials. Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.

1.1 - Create an IAM Policy

Follow to create an IAM policy to attach to your IAM role. An example is provided below.

Example IAM Policy:

Other ways of setting up AWS credentials can be found .

1.2 Set Up an IAM Role

Choose one of the following options to set up an IAM role:

Attach an . Then, continue to .
If you're running Immuta in Kubernetes (AWS EKS), work with your Immuta Support Professional to set up an IAM role. Then, continue to .
: This option should only be used if Immuta is not running on your AWS infrastructure and you need to leverage a KMS on AWS. For all other scenarios, use one of the options above.

2 - Configure AWS KMS on the App Settings Page

Add the following configuration (with your AWS region and keyId) to the Advanced Configuration section of the App Settings page.

Adding Credentials in the KMS Configuration (not recommended)

Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.

This option should only be used if Immuta is not running on your AWS infrastructure. For example, if you are running Immuta on-prem and need to leverage a KMS on AWS. For all other scenarios, use one of the two other options above.

Before you begin, that will authenticate to Immuta.
Navigate to the App Settings page and add the following configuration (with your AWS keyId, region, and credentials) to the Advanced Configuration section:

Optional: Define Rollover Schedule

Click the App Settings icon in the left sidebar and scroll to the Advanced Configuration section.
Paste the following configuration in the text box, adjusting dataKeyRollOverLength days to your desired schedule:

Manage Encryption Keys

Use an external key management service

Immuta recommends using an external Key Management Service (KMS) to encrypt or decrypt data keys as needed.

Overview

1 - Set Up AWS Credentials

Before you can configure the AWS KMS, you need to set up your AWS credentials. Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.

1.1 - Create an IAM Policy

Follow to create an IAM policy to attach to your IAM role. An example is provided below.

Example IAM Policy:

Other ways of setting up AWS credentials can be found .

1.2 Set Up an IAM Role

Choose one of the following options to set up an IAM role:

Attach an . Then, continue to .
If you're running Immuta in Kubernetes (AWS EKS), work with your Immuta Support Professional to set up an IAM role. Then, continue to .
: This option should only be used if Immuta is not running on your AWS infrastructure and you need to leverage a KMS on AWS. For all other scenarios, use one of the options above.

2 - Configure AWS KMS on the App Settings Page

Add the following configuration (with your AWS region and keyId) to the Advanced Configuration section of the App Settings page.

Adding Credentials in the KMS Configuration (not recommended)

Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.

Before you begin, that will authenticate to Immuta.
Navigate to the App Settings page and add the following configuration (with your AWS keyId, region, and credentials) to the Advanced Configuration section:

Optional: Define Rollover Schedule

Click the App Settings icon in the left sidebar and scroll to the Advanced Configuration section.
Paste the following configuration in the text box, adjusting dataKeyRollOverLength days to your desired schedule:

Manage Encryption Keys

hashtagOverview

hashtag1 - Set Up AWS Credentials

hashtag1.1 - Create an IAM Policy

hashtag1.2 Set Up an IAM Role

hashtag2 - Configure AWS KMS on the App Settings Page

hashtagAdding Credentials in the KMS Configuration (not recommended)

hashtagOptional: Define Rollover Schedule

Manage Encryption Keys

hashtagOverview

hashtag1 - Set Up AWS Credentials

hashtag1.1 - Create an IAM Policy

hashtag1.2 Set Up an IAM Role

hashtag2 - Configure AWS KMS on the App Settings Page

hashtagAdding Credentials in the KMS Configuration (not recommended)

hashtagOptional: Define Rollover Schedule

Overview

1 - Set Up AWS Credentials

1.1 - Create an IAM Policy

1.2 Set Up an IAM Role

2 - Configure AWS KMS on the App Settings Page

Adding Credentials in the KMS Configuration (not recommended)

Optional: Define Rollover Schedule

Overview

1 - Set Up AWS Credentials

1.1 - Create an IAM Policy

1.2 Set Up an IAM Role

2 - Configure AWS KMS on the App Settings Page

Adding Credentials in the KMS Configuration (not recommended)

Optional: Define Rollover Schedule