Product UpdatesStatus PageAutomation Institute
English
Get a trial
Data & security
Encryption key management

# Enterprise Key Management

WHO CAN USE THIS FEATURE?

Enterprise Key Management is an advanced capability of Workato. Reach out to your Customer Success Manager for more information.

If you require additional control outside of the robust security Workato offers by default, you can utilize Workato's Enterprise Key Management (EKM) feature. EKM allows you to take complete control of your data by directly managing your workspace's encryption keys.

In this guide, we'll cover:

# How it works

NEED A REFRESHER?

Review the Encryption Key Management guide for an overview of Workato's encryption key hierarchy.

With Workato EKM, you directly control the workspace's top-level Customer Main Key, which Workato uses to encrypt other keys in your workspace's key hierarchy.

Using a Key Management Service (KMS) like Amazon Web Services (AWS) KMS, you maintain the key and grant access to Workato through an access policy. This is referred to as bringing your own key (BYOK).

Overview of Enterprise Key Management

To use EKM with your own key, generate a new key and grant Workato access. You can do this in one of the following ways:

  • Configure an access policy in AWS KMS.
  • Upload a key material file to Workato.

After key access is granted, Workato retrieves the key and uses it to encrypt other keys in the hierarchy. Workato's internal KMS completes this process automatically.

# Keys and environments

NOTE

This section is applicable if your account has the Environments feature enabled.

EKM works seamlessly with the Environments feature. When used with EKM, you can configure each environment in your workspace with its own Customer Main Key:

Overview of Enterprise Key Management

# Key management

USING ENVIRONMENTS?

If you're using the Environments feature, note that the information in this section applies to a single environment and not the entire workspace.

Unlike the default Workato-managed key, bringing your own key allows you to maintain control over all aspects of your workspace's Customer Main Key:

# Rotation

Key rotation and replacement is a manual process unless you enable auto-rotation in the KMS, which we recommend as a best practice.

When replacing a key in Workato, note that:

  • Replacing a key in Workato is allowed once per 24-hour period.
  • Workato repacks the key hierarchy when a key is replaced. This process can take some time.
  • If auto-rotation is enabled in the KMS, Workato automatically uses the latest generation of the key. No replacement in Workato is necessary.

# Access restriction

If key access is restricted, encrypted data will be available for a short time due to caching. The current time-to-live for the key cache is five (5) minutes.

# Revocation and deletion

When a key is deleted or revoked, encrypted data becomes unavailable to all users in the workspace.

# Supported key management services

Workato EKM currently supports the following:

# Troubleshooting

Need some help? For more information about troubleshooting, see the EKM troubleshooting guide.

Encryption key management
Setup EKM with Amazon KMS


Last updated: 2/3/2025, 7:19:51 PM

On this page