# Enterprise Key Management Glossary

In this guide, we'll cover terms related to Workato's Enterprise Key Management (EKM) feature:

# Bring Your Own Key (BYOK)

Bring Your Own Key (BYOK) (opens new window) is an approach to data encryption that allows customers to use their own encryption software and manage their keys externally.

In the case of Workato, this means you can use a service like Amazon Key Management Service (KMS) to manage the Customer Main Key Workato uses to perform data encryption.

# Connection Key

Connection keys (CK) are keys used to encrypt connection data. A unique, connection-specific key encrypts each connection.

Connection keys are encrypted by the account's Customer Main Key (CMK).

# Custom KMS Key

See Customer-managed key.

# Customer-managed Key

A Customer-managed key is a key that you create, own, and manage (BYOK). Keys are created in a key management service or through a library like OpenSSL.

When used in Workato EKM, Workato will use the key you provide as the Customer Main Key to encrypt and decrypt data keys.

# Customer Main Key (CMK)

A Customer Main Key (CMK) is a top-level key that encrypts Connection and Hourly keys.

In Workato, the CMK can be one of the following:

  • Customer-managed - The CMK is a key you generate and provide to Workato. You own and manage the key in the KMS, providing the reference to Workato.
  • Workato-managed - The CMK is a key generated and managed by Workato. Workato owns and manages the key on your behalf.

# Data Key (DK)

Data keys (DK) are keys used to encrypt job data. A unique, job-specific data key encrypts each job. An Hourly key encrypts the job-specific data key.

# Hourly Key (HK)

Hourly keys (HK) are keys used to encrypt job data keys. A new key is generated on an hourly basis.

# Key Management System (KMS)

A Key Management System (KMS) is a system for securely managing cryptographic keys (opens new window). For example: Amazon Key Management Service (KMS)

# Repacking

Synonymous with re-encryption, repacking occurs when the Customer Main Key is rotated or replaced, whether by you or Workato.

For example: When a new custom key is uploaded to Workato, Workato will repack all connection, hourly, and data keys currently in use.

# Workato KMS Key

See Workato-managed key.

# Workato-managed Keys

A Workato-managed key is a key that Workato creates, owns, and manages on your behalf. A Workato-managed key is synonymous with Workato KMS key.

Unless BYOK is fully configured, Workato will use a Workato-managed key as your account's Customer Main Key to encrypt and decrypt data keys.

All Workato-managed keys are automatically rotated once per year. Currently, this rotation schedule can't be changed.