You are here:
Managing Encryption Keys
To ensure data security, we have implemented an additional level of encryption for PII and lets customers manage encryption keys. Vlocity ensures that nobody, including our own staff, can access this key without explicit authorization from the customer.
The Order Management Plus AWS engine manages production databases that store all the required information, including Personally Identifiable Information (PII). Personally Identifiable Information is encrypted and decrypted using a data encryption key that is only accessible by the customer. To leverage the encryption key, the microservice uses Amazon Web Services Key Management Service (AWS KMS). While AWS KMS does not store and manage the data encryption key, it enables you to store and manage the customer master key. Only customers have access to the customer master key.
Customer master keys are used for encryption and decryption of data encryption keys. The data encryption key is stored in a dedicated PostgreSQL database in an encrypted form, such as a blob. To support data encryption key versions, a number of data encryption key are stored along with their version numbers.
When the encryption service starts, it reads all of the data encryption key blobs as well as their versions from the database and decrypts them using AWS KMS Decrypt API. The decrypted keys are then stored in memory and are used for Personally Identifiable Information encryption and decryption.
The database table for storing the keys uses the following format:
-
Version: NUMERIC
-
Encrypted_Key_Blob: BYTEA
Customers may change the encryption key. Changing the key will lead to a data conversion process where the data encrypted with an old key is replaced with the data encrypted with the new key. Depending on the amount of data present in the database, this process might take a considerable amount of time so there may be a period of overlap where some data is encrypted with the old key and some data is encrypted with the new key. Therefore, the encrypted data will have information about the version of the key that was used to encrypt it.
Customers can also create their own separate AWS accounts purely for managing the customer master key in the AWS KMS. Nobody at Vlocity has access to this AWS account. Only a limited set of services running in the Order Management Plus cluster have access to the customer master key, the UI, and customer integration adapters.
You must use the native AWS API for encrypting and decrypting the data. Ensure the key or other sensitive information is not exposed during this process.
We do not have access to any of the following things:
-
The ability to SSH to the underlying EC2 host running the services that work with the customer key, perform encryption and decryption, or work with the decrypted customer data.
-
Secrets, configuration maps, and pods that are related to the encryption and decryption logic. Those entities are managed either by the customer CI/CD tool or manually by the customer operation team.
-
Cluster-admin access to the cluster. The admin API certificate is encrypted by the customer key.
Neither our services nor customer integration adapters log sensitive information to the logging system.
- Perform Data-in-Transit (DIT) Key Change using AWS Lambda
Instead of giving broad permissions to EC2 hosts in the cluster, you can use AWS Lambda for performing that particular operation and granting the required permissions. You can then call AWS Lambda from SFDC directly, or from the Kubernetes cluster if necessary.
