By default, SmartIQ enables Data Encryption for all cloud environments as well as all new installations by employing an industry standard technique known as key wrapping. Key wrapping is the process of encrypting one key using another key when transmitting and storing data.
SmartIQ uses the Data Encryption Key (DEK) to encrypt the data, which is then encrypted or wrapped using a Key Encryption Key (KEK). The wrapped DEK and KEK are stored/managed in distinct locations. Using key wrapping technologies ensures separation and provides another layer of encryption for different parties.
For example, SmartIQ has the DEK and the customer or tenant has their own KEK. This applies to the SmartIQ environment, as a whole. However, for multi-tenant environments, individual tenants have their own DEKs.
SmartIQ can integrate with the following key wrapping technologies:
Contact SmartIQ Support for information on how to configure the settings.
- Azure Key Vault
- AWS Key Management Service (AWS KMS)
- Hardware Security Modules (HSMs) via the PKCS#11 standard
WARNING: Do NOT lose the key material
If SmartIQ is no longer able to contact the chosen key wrapping technology, SmartIQ will NOT be able to decrypt or unwrap the DEK. Therefore, your data will be lost.
Enabling Data Encryption
The Encrypt Data option will always be on by default for all new installations.
Rotating the Data Encryption Keys
Key rotation is the process of moving to a new Data Encryption Key (DEK). SmartIQ automatically rotates the key every 12 months for compliance with standards.
SmartIQ recommends rotating the DEKs regularly because DEKs are designed to encrypt and decrypt data multiple times. And from the moment of rotation, encryption is performed with the new/current DEK. Stored data might be encrypted using several DEKs over time.
To manually rotate the keys:
Only users with Manage Security permission will be able to access the Security settings in Manage and manually rotate the key.
- Go to the Manage > Settings > Security.
- Under Encryption Keys, you will see the version and expiration date of the current Data Encryption Key.
- Click Rotate Key.
- Click Save to save the changes to the settings.
The system may take up to ten (10) minutes for the previous key to be deactivated from the cache. Restart the site to force the system to use the new key.
Updated 4 months ago