# Encryption Key Management

Data in Workato is encrypted at rest and in transit. At rest, data is encrypted using a top-level encryption key and a multi-level key hierarchy. Encryption keys are unique to each workspace, thereby limiting vulnerabilities and ensuring your data is separate from other workspaces.

In this guide, we'll cover:


# How It Works

TIP

Need a primer on the terms in this guide? Refer to the glossary to get started.

The foundation for Workato's encryption key management is a hierarchical key model. The key hierarchy consists of several levels of keys, where each level of keys encrypts the keys in the level beneath it:

Encryption key management key hierarchy

This multi-level approach to encryption reduces the risk of exposure by limiting the data a single key can access. If, for example, a data key for a job is compromised, the exposure is limited only to that specific job.

Workato's key hierarchy consists of three levels:

# Top Level

At the top of the hierarchy is the Customer Main Key (CMK), which is unique to the workspace and encrypts all other keys in the hierarchy.

The CMK can be one of the following:

  • Workato-managed, meaning Workato creates, owns, and manages the key on your behalf. Your workspace will use a Workato-managed key unless you bring your own key.

  • Customer-managed, meaning that you own and manage the key. You provide the key reference or material to Workato.

# Intermediate Level

Acting as an intermediate between the CMK and job data are. A new hourly keys is generated each hour and is used to encrypt all job data that occurs during the following hour. The use of hourly keys reduces potential exposure in case of key compromise to a single hour's worth of job data.

# Data Level

At the last level in the hierarchy are keys that encrypt your actual data:

  • Connection keys: A unique, connection-specific key used to encrypt connection data.

  • Data (job) keys: A unique, job-specific key used to encrypt job data. Hourly keys encrypt data keys.


# Keys And Environments

NOTE

This section is applicable if your account has the Environments feature enabled.

If you're using Environments, Workato will use a unique Customer Main Key for each environment:

Overview of Encryption Key Management with Environments


# Affected Data

Encryption Key Management currently affects the following types of data in Workato:

# Connection Data

Connection data includes details about connections in the workspace. Connection data is encrypted using the following hierarchy:

Key hierarchy for connection data

# Job Data

Job data includes job metadata (title, completion, report, result, etc.) and details (snapshot and line details).

Job data - except for the trigger event - is encrypted using the following hierarchy:

Key hierarchy for job data

Trigger events are only encrypted with an hourly key, whereas other job data is encrypted with an hourly key and a data key.


# Key Management

USING ENVIRONMENTS?

If you're using the Environments feature, note that the info in this section applies to a single environment and not the workspace as a whole.

This section explains how key types are managed, including key replacement (rotation), revocation, access, and deletion.

# Customer Main Key

How a Customer Main Key is managed depends on whether you're using the Enterprise Key Management feature to bring your own key:

# Customer-managed key

All aspects of a customer-managed key are controlled by you.

  • Rotation: Key rotation/replacement is a manual process unless auto-rotation is enabled in the KMS. If auto-rotation is enabled - which we recommend as a best practice - rotation is handled by the KMS, and no updates will be necessary in Workato.

    If replacing a key in Workato, however, note that:

    • Replacing a key in Workato is allowed once per 24-hour period.
    • Workato will repack the key hierarchy when a key is replaced. This process can take some time.
    • If auto-rotation is enabled in the KMS, Workato will automatically use the latest generation of the key. No replacement in Workato is necessary.
  • Access restriction: If key access is restricted, encrypted data will be available for a short time due to caching. The current time-to-live for the key cache is five (5) minutes.

  • Revocation and deletion: When a key is deleted or revoked, encrypted data will be unavailable to all users in the workspace. Note: If the revocation or deletion is permanent, the data in Workato will be permanently inaccessible.

# Workato-managed key

If using a Workato-managed key, Workato manages all aspects of the key.

  • Rotation: Automatic. Workato will rotate the key at least once per year.

  • Access restriction: Managed automatically by Workato.

  • Revocation and deletion: Managed automatically by Workato.

# Hourly Keys

To minimize vulnerabilities, Workato will generate new hourly keys every hour. Hourly keys are used to encrypt data keys, which in turn encrypt job data.

Let's take a look at an example:

1

12:00 PM: A new hourly key (key1) is generated. This key is considered the current active key and will be used to encrypt data from jobs that run during this hour or between 12:00 PM and 1:00 PM.

2

12:05 PM:

  • Two jobs - job1 and job2 - complete
  • key1 encrypts the data keys associated with these jobs
3

1:00 PM:

  • key1 becomes inactive. key1 can now only decrypt data.
  • A new key - key2 - is generated and becomes active
4

1:15 PM:

  • Two jobs - job3 and job4 - complete
  • key2 encrypts the data keys associated with these jobs
5

2:00 PM:

  • key2 is rotated and becomes inactive. key2 can now only decrypt data.
  • A new key - key3 - is generated and becomes active.