This article is for:
- Org Security Admins
Overview of Bring Your Own Key
Note: To use key management, it needs to be enabled for your organization. For more information, see the BYOK Overview page.
What is key management?
With Key Management, you can bring your own key (BYOK) to encrypt next gen files and data. This allows you to retain control and management of your data by using your own encryption keys. By default, all files and data are encrypted, but some organizations prefer to manage and retain control of data encryption.
Who can use key management?
Only Org Security Admins are able to add or modify key settings. As a best practice, ensure only those you want to have access to keys are designated with this role.
To learn how to assign a role, see Update an Organization Role.
Does key management impact any other features?
The security requirements of key management and BYOK impact a few features in Workiva. The following features are impacted when you upload a key:
- Search Comments in Home - you can no longer search the contents of comments, so the option is disabled.
As you prepare to get started with key management, here are a few best practices:
- Start with your security requirements
Your company’s security requirements and processes determine how and when you interact with Bring Your Own Key. As you get started, plan on how you will generate and store your encryption key based on your security guidelines. Then, create a plan for how you will manage uploading, rotating, or removing your encryption key to ensure that you follow your organization's security requirements.
- Try out key management first
If you are interested in trying out Bring Your Own Key, contact your Customer Success Manager (CSM) before you add a key for your organization. We can create a place for you to test generating and adding a key so you can gain confidence in the process before you upload your encryption key for your organization.
- Perform key management after hours
We recommend that you do any key management actions, such as adding or rotating a key, outside of your normal business hours. Typically there aren't any issues, but it's a best practice to not create or update new data as you add or change an encryption key.
- Select two people to manage your key
We recommend that you assign at least two users with the Org Security Admin role to manage your encryption key. This allows you to have a backup in case one is not available. Also, it's common for the primary org admins to also have the Org Security Admin role so they can see if BYOK is active, but they would be unable to manage the key because they wouldn't have access to the key material.
When you create an encryption key, make sure you have a plan in place for the management and retention of it. Workiva does not keep a copy of your key and you need to make sure you keep it. As a general guideline, work with your company’s information security team for the proper way to generate and store encryption keys. You can upload any file type, as long as it contains binary key content.
- 256-bit symmetric encryption key
- Exactly 32 bytes
- Meets cryptographic randomness
When you upload a key, it is checked to make sure it meets the requirements listed above. This ensures you can generate and test you have a valid key before you confirm and make it active for your organization.
Monitor key activity
All of your key management actions are logged as organization activities, so you can track any time a key is added or modified. Key management activities show as the type of Control and you can click details to see the specific action.
Here are the activities related to key management:
|Add Key||[Name] performed the import action on the newly created BYOK key associated with the organization in the [Workspace Name] workspace.||key-created|
|Open Key Management||[Name] performed the read action on the BYOK key status associated with the organization in the [Workspace Name] workspace.||key-get|
|Remove Key||[Name] performed the revoke action on the BYOK key material associated with the organization in the [Workspace Name] workspace.||key-destroyed|
|Restore Key||[Name] performed the restore action on the BYOK key material associated with the organization in the [Workspace Name] workspace.||key-removed|
|Rotate Key Started||BYOK key associated with the organization (Rotation Started)||rotate-byok-key|
|Rotate Key Finished||BYOK key associated with the organization (Rotation Finished)||rotate-byok-key|