# Enterprise Key Management
WHO CAN USE THIS FEATURE?
Enterprise Key Management is an advanced capability of Workato. Reach out to your Workato Customer Success Manager for more info.
If you require additional control outside of the robust security Workato offers by default, you can utilize Workato's Enterprise Key Management (EKM) feature. EKM allows you to take complete control of your data by directly managing your workspace's encryption keys.
In this guide, we'll cover:
- How EKM works
- How EKM works with Environments
- How keys are managed
- How to set it up
- Some troubleshooting resources
# How It Works
NEED A REFRESHER?
Check out the Encryption Key Management guide for a primer on Workato's encryption key hierarchy.
With Workato EKM, you directly control the workspace's top-level Customer Main Key, which Workato uses to encrypt other keys in your workspace's key hierarchy.
Using a Key Management Service (KMS) like Amazon Web Services (AWS) KMS, you maintain the key and grant access to Workato through an access policy. This is referred to as bringing your own key (BYOK).
Let's take a look at how EKM works when you bring your own key:
You generate a new key and grant Workato access to it. You could do this in AWS KMS using an access policy or by uploading a key material file to Workato.
Workato accesses the key and uses it to encrypt other keys in the hierarchy. Workato's internal Key Management System automatically completes this process once key access has been granted.
# Keys And Environments
This section is applicable if your account has the Environments feature enabled.
EKM works seamlessly with Environments feature. When used with EKM, you can configure each environment in your workspace with its own Customer Main Key:
# Key Management
If you're using the Environments feature, note that the info in this section applies to a single environment and not the workspace as a whole.
Unlike the Workato-managed key that is used by default, bringing your own key allows you to maintain control over all aspects of your workspace's Customer Main Key:
Key rotation/replacement is a manual process unless auto-rotation is enabled in the KMS, which we recommend as a best practice.
When replacing a key in Workato, note that:
- Replacing a key in Workato is allowed once per 24-hour period.
- Workato will repack the key hierarchy when a key is replaced. This process can take some time.
- If auto-rotation is enabled in the KMS, Workato will automatically use the latest generation of the key. No replacement in Workato is necessary.
# Access Restriction
If key access is restricted, encrypted data will be available for a short time due to caching. The current time-to-live for the key cache is five (5) minutes.
# Revocation And Deletion
When a key is deleted or revoked, encrypted data will be unavailable to all users in the workspace.
# Supported Key Management Services
Workato EKM currently supports the following:
Need some help? Refer to the EKM troubleshooting guide for assistance.