# Manage Encryption Keys

Immuta generates data encryption keys (on a user-defined rollover schedule) to encrypt and decrypt values. This page provides an overview of encryption key management and outlines its configuration options in Immuta.

{% hint style="info" %}
**Use an external key management service**

Immuta recommends using an external Key Management Service (KMS) to encrypt or decrypt data keys as needed.
{% endhint %}

## Overview

Immuta encrypts values with data encryption keys, either those that are system-generated or managed using an external key management service (KMS). Immuta recommends a KMS to encrypt or decrypt data keys and supports the AWS Key Management Service. To configure the AWS KMS, complete [the steps below](#id-1-set-up-aws-credentials).

However, if no KMS is configured Immuta will generate a data encryption key on a user-defined rollover schedule, using the most recent data key to encrypt new values while preserving old data keys to decrypt old values. To change the default rollover schedule of 1 year, follow [these steps](#optional-define-rollover-schedule).

## 1 - Set Up AWS Credentials

Before you can configure the AWS KMS, you need to set up your AWS credentials. Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.

### 1.1 - Create an IAM Policy

Follow [AWS documentation](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/iam-examples-policies.html#iam-examples-policies-prerequisites) to create an IAM policy to attach to your IAM role. An example is provided below.

**Example IAM Policy**:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": [
                "{AWS KMS Key ARN}"
            ],
            "Effect": "Allow"
        }
    ]
}
```

Other ways of setting up AWS credentials can be found [here](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html).

### 1.2 Set Up an IAM Role

Choose one of the following options to set up an IAM role:

* Attach an [IAM role to your **AWS EC2 instance**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html). Then, continue to [step 2](#id-2-configure-aws-kms-on-the-app-settings-page).
* If you're running Immuta in Kubernetes (**AWS EKS**), work with your Immuta Support Professional to set up an IAM role. Then, continue to [step 2](#id-2-configure-aws-kms-on-the-app-settings-page).
* [Add credentials in the KMS configuration (not recommended)](#adding-credentials-in-the-kms-configuration-not-recommended): This option should only be used if Immuta is not running on your AWS infrastructure and you need to leverage a KMS on AWS. For all other scenarios, use one of the options above.

## 2 - Configure AWS KMS on the App Settings Page

Add the following configuration (with your AWS `region` and `keyId`) to the **Advanced Configuration** section of the App Settings page.

```yaml
plugins:
  awsKms:
    plugin: 'awsKms'
    isKms: true
    keyId: <your key id>
    region: <your aws region>
```

### Adding Credentials in the KMS Configuration (not recommended)

{% hint style="warning" %}
Immuta cannot encrypt the AWS access/secret keys in the KMS configuration, so we recommend using IAM roles.
{% endhint %}

This option should only be used if Immuta is not running on your AWS infrastructure. For example, if you are running Immuta on-prem and need to leverage a KMS on AWS. For all other scenarios, use one of the two other options above.

1. Before you begin, [create a secret access key and an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) that will authenticate to Immuta.
2. Navigate to the **App Settings** page and add the following configuration (with your AWS `keyId`, `region`, and credentials) to the **Advanced Configuration** section:

   ```yaml
   plugins:
     awsKms:
       plugin: awsKms
       isKms: true
       keyId: <your key id>
       region: <your aws region>
       extraKmsConfig:
         credentials:
           accessKeyId: <your access key id>
           secretAccessKey: <your secret access key>
           sessionToken: <your session token>
   ```

## Optional: Define Rollover Schedule

1. Click the App Settings icon in the left sidebar and scroll to the **Advanced Configuration** section.
2. Paste the following configuration in the text box, adjusting `dataKeyRollOverLength` days to your desired schedule:

   ```yaml
   schedule:
     dataKeyRollOverLength: 365
   ```