# Encryption Key Management
Data in Workato is encrypted at rest and in transit. At rest, data is encrypted using a top-level encryption key and a multi-level key hierarchy. Encryption keys are unique to each workspace, thereby limiting vulnerabilities and ensuring your data is separate from other workspaces.
In this guide, we'll cover:
# How It Works
Need a primer on the terms in this guide? Refer to the glossary to get started.
The foundation for Workato's encryption key management is a hierarchical key model. The key hierarchy consists of several levels of keys, where each level of keys encrypts the keys in the level beneath it:
This multi-level approach to encryption reduces the risk of exposure by limiting the data a single key can access. If, for example, a data key for a job is compromised, the exposure is limited only to that specific job.
Workato's key hierarchy consists of three levels:
# Top Level
At the top of the hierarchy is the Customer Main Key (CMK), which is unique to the workspace and encrypts all other keys in the hierarchy.
The CMK can be one of the following:
Workato-managed, meaning Workato creates, owns, and manages the key on your behalf. Your workspace will use a Workato-managed key unless you bring your own key.
Customer-managed, meaning that you own and manage the key. You provide the key reference or material to Workato.
# Intermediate Level
Acting as an intermediate between the CMK and job data are. A new hourly keys is generated each hour and is used to encrypt all job data that occurs during the following hour. The use of hourly keys reduces potential exposure in case of key compromise to a single hour's worth of job data.
# Data Level
At the last level in the hierarchy are keys that encrypt your actual data:
Connection keys: A unique, connection-specific key used to encrypt connection data.
Data (job) keys: A unique, job-specific key used to encrypt job data. Hourly keys encrypt data keys.
Log key: A unique key used to encrypt log data.
# Keys And Environments
This section is applicable if your account has the Environments feature enabled.
If you're using Environments, Workato will use a unique Customer Main Key for each environment:
# Affected Data
Encryption Key Management currently affects the following types of data in Workato:
# Connection Data
Connection data includes details about connections in the workspace. Connection data is encrypted using the following hierarchy:
# Job Data
Job data includes job metadata (title, completion, report, result, etc.) and details (snapshot and line details).
Job data - except for the trigger event - is encrypted using the following hierarchy:
Trigger events are only encrypted with an hourly key, whereas other job data is encrypted with an hourly key and a data key.
# Log Data
Log data includes log entries in Workato's Logging service.
# Key Management
If you're using the Environments feature, note that the info in this section applies to a single environment and not the workspace as a whole.
This section explains how key types are managed, including key replacement (rotation), revocation, access, and deletion.
# Customer Main Key
How a Customer Main Key is managed depends on whether you're using the Enterprise Key Management feature to bring your own key:
# Customer-managed key
All aspects of a customer-managed key are controlled by you.
Rotation: Key rotation/replacement is a manual process unless auto-rotation is enabled in the KMS. If auto-rotation is enabled - which we recommend as a best practice - rotation is handled by the KMS, and no updates will be necessary in Workato.
If replacing a key in Workato, however, note that:
- Replacing a key in Workato is allowed once per 24-hour period.
- Workato will repack the key hierarchy when a key is replaced. This process can take some time.
- If auto-rotation is enabled in the KMS, Workato will automatically use the latest generation of the key. No replacement in Workato is necessary.
Access restriction: If key access is restricted, encrypted data will be available for a short time due to caching. The current time-to-live for the key cache is five (5) minutes.
Revocation and deletion: When a key is deleted or revoked, encrypted data will be unavailable to all users in the workspace. Note: If the revocation or deletion is permanent, the data in Workato will be permanently inaccessible.
# Workato-managed key
If using a Workato-managed key, Workato manages all aspects of the key.
Rotation: Automatic. Workato will rotate the key at least once per year.
Access restriction: Managed automatically by Workato.
Revocation and deletion: Managed automatically by Workato.
# Hourly Keys
To minimize vulnerabilities, Workato will generate new hourly keys every hour. Hourly keys are used to encrypt data keys, which in turn encrypt job data.
Let's take a look at an example:
12:00 PM: A new hourly key (
key1) is generated. This key is considered the current active key and will be used to encrypt data from jobs that run during this hour or between 12:00 PM and 1:00 PM.
- Two jobs -
key1encrypts the data keys associated with these jobs
key1can now only decrypt data.
- A new key -
key2- is generated and becomes active
- Two jobs -
key2encrypts the data keys associated with these jobs
key2is rotated and becomes inactive.
key2can now only decrypt data.
- A new key -
key3- is generated and becomes active.