This article is for:
- Org Security Admins
Once key management is enabled for your organization, you can add an encryption key. This is also known as bring your own key (BYOK).
Note: If you've already added an encryption key and want to change or switch it to another key, see Rotate an encryption key.
Before you add a key
Follow these steps to before you add a key:
- Review our best practices and key guidelines along with your required processes around managing encryption keys.
- Assign additional users to the Org Security Admin role so they can manage the encryption key for your organization.
- Generate and securely store the key outside of the Workiva platform, following your guidelines.
- Upload the key to enable Bring Your Own Key for your organization.
- Set a reminder, if needed, to rotate your key based on your security guidelines.
Add an encryption key
Important: Workiva does not have any access to the key you upload. You need to keep and maintain the key.
There are two types of encryption keys you can add: wrapped or plain text.
To add a wrapped encryption key:
- From Organization Admin, click Security.
- From the Key Management tab, click Upload a key.
- For Key Type, select Wrapped key.
- Complete Step 1: Click Download public key and use it to wrap your encryption key.
Once you download the public key, you have 24 hours to wrap and upload the new key.
- Complete Step 2: Upload your wrapped key.
This key must be a 256-bit symmetric key wrapped by the public key downloaded in Step 1.
- Click Add Key.
- Check the box to confirm that you'll keep a plain text copy of your key and click Add Key.
Your key will only be stored in AWS KMS. Workiva can't access your key material.
Active key status
You’ll see an Active status indicator showing you that your key is now in use. After you add your encryption key, files from that point forward will use the key. Any files created prior will continue to use the default Workiva encryption.