Enterprise Key Management Guide, Quip

Enterprise Key Management (EKM) gives you control over the keys used to encrypt your Salesforce Anywhere (Quip) data. The keys you create are only used to encrypt your content, and Quip has no control over them, and only the access you permit us.

This guide will walk you through setting up your EKM deployment, from initial setup and logging through key rotation and revocation. To learn more about EKM, see our Security page.

Setting up EKM

1. Plan your rollout

Prior to beginning setup, you’ll work hand in hand with your Quip representative to define a rollout plan and schedule for encrypting your documents. We can customize the deployment to your testing and verification needs, whether that means gradually ramping up a percentage of new threads encrypted before fully switching over all your existing content or a rapid deployment of all content simultaneously.

To start planning your rollout, get in touch with your Quip representative. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

2. Create your keys

Set up Amazon KMS. See their Product Overview and Getting Started Guide.
1. You can also use CloudHSM via KMS Custom Key Store.
Create three keys in KMS.
1. Follow the documentation for key creation in the KMS Create Keys guide.
2. In step 4, Define Key Usage Permissions, scroll down to “Other AWS Accounts”, click “Add another AWS account”, and enter in the Quip AWS account number.
  1. Quip will never be able to access your keys directly. Adding the Quip AWS account here gives permission for us to send encrypted material to your keys using the AWS KMS APIs and get the decrypted material as an API response, but does not give us any other access.
3. Unless setting up EKM for a VPC, you must create the keys in these regions:
  1. Primary Key: us-west-2
  2. Backup Key 1: us-east-2
  3. Backup Key 2: us-west-1
    
    If you’re setting up EKM for a VPC, work with your Quip representative to choose the correct regions.

3. Start the setup process

When you’re ready to kick off the encryption process — there’s a deployment plan in place, and you’ve created your keys in KMS — let us know in the admin console.

Go to the Shield Advanced Security tab in your admin console.
Click “Begin Setup” under the Enterprise Key Management heading.
Read the information, check that you understand it, and click “Next”.
Enter the ARNs of your keys, and click Next.
1. Make sure you’ve granted the correct permissions before completing this step!
2. You can find the ARNs in your AWS Console. Go to the KMS service, and click “Customer managed keys” in the left sidebar. Then, for each of your keys, click the key to get taken to the key page. You should enter the the entire string under “ARN”, starting with arn:aws:kms, into the admin console.
Double-check that everything has been entered correctly, and click “Begin Setup”.
That’s it! We’ll begin setup according to the deployment plan. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

Revoking key access

Revoking access to a single document

You can respond to targeted security threats or concerns by revoking access to a single document. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing that document, while your users have uninterrupted access to the rest of their Quip content.

To revoke access to a thread, you’ll use both the Quip admin console and the AWS KMS admin console.

First, you’ll get the secret document ID you’ll use to revoke access to the document. To do that:

Navigate to the Shield Advanced Security tab of the Quip admin console.
Click “Get Document ID”.
Paste in the URL of the document you’d like to block access to, and click click “get Document ID”.
Copy the Document ID that returns on the next modal screen. Save this ID in a safe place (outside Quip), because you’ll need it to restore access later if you choose to do so, and this lookup tool won’t work while access to the document is revoked.

Once you have that identifier, here’s how you revoke access to a specific piece of content:

Open your AWS Console and go to the KMS Service.
Click on one of your keys, scroll down to where it says “Key Policy”, and click Edit.
Paste in this policy:

{
    "Sid": "Deny decryption access to a specific document",
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn:aws:iam::QUIP_AWS_ACCOUNT:root"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "kms:EncryptionContext:RootID": "DOCUMENT_ID"
        }
    }
},

Replace the placeholder QUIP_AWS_ACCOUNT with the same account number you granted access to when setting up EKM.
1. You can also find the account number by looking for the statement in your Key Policy that begins Sid: Allow use of key, Effect: Allow. Right under those lines is a similar “Principal” statement with the account number.
Replace the placeholder DOCUMENT_ID is in the key policy template with your Document ID.
1. Optionally, you can edit the Sid to include the name of the document, e.g. "Sid": "Deny decryption access to doc "2020 Financials",.
Save the policy.
Repeat steps 2-5 for each of your three keys.
Now return to the Shield Advanced Security tab of the Quip Admin Console.
1. Scroll down and click the “Clear Document” button.
2. Enter the Document ID, and click “Clear Downloads” to clear the document from all downloads and caches.

To restore access to the document, delete the policies you added from the Key Policies section in KMS, and again use the Clear Document flow to force the new key policies to take effect in Quip.

Revoking access to the entire site

You can revoke the Quip service’s access to your customer-managed keys by disabling the keys as described in the AWS KMS Documentation. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing your content.

Remember to disable each of your three keys.
Note that none of your users will be able to access any of your content while your customer-managed keys are disabled. If you want to revoke decryption access for a single thread while the rest of your Quip content remains in normal operation, see “Revoking access to a single document” above.

To ensure your content is immediately cleared from all caches, search indices, and your users’ downloaded apps, you must also use our Clear Downloads option in the admin console:

Load the admin console for your Quip site, and navigate to the Shield Advanced Security tab.
Scroll down to the “Clear Downloads” section under the Enterprise Key Management heading.
Click the “Clear Site” button and confirm.

To re-enable decryption of your content, re-enable your keys, and again click the “Clear Site” button to force the key settings to take effect immediately.