# Key management

Security comes in many forms, one of them is how the data is stored securely. This includes encryption at rest and management of the associated encryption keys.

With regulations such as GDPR, data protection has become increasingly important for all organizations, big and small.

# Overview

Workato encrypts all data at rest and in transit. At rest, all data is encrypted with a global key managed by our cloud providers. These keys are rotated at least annually. In addition, Workato encrypts data with secondary, customer-specific keys whose lifetimes are tied to the configured retention period for the data.

New encryption keys are generated as needed, for each customer, on an hourly basis. New keys are considered active keys used for encrypting the data that is generated within the next hour. An active key becomes inactive at the end of the hour from when it was generated. Inactive keys are then only used for decrypting data. This system has several benefits:

  • By regularly changing the encryption key used every hour, the volume of data that remains unprotected is limited if a key is compromised.
  • Workato follows industry best practice to store the encryption key and encrypted data in separate storage, providing a greater level of protection against data compromise.
  • At the end of the data retention period, the key used to encrypt the data is deleted, rendering the data inaccessible ("cryptographic erasure").

# How it works

Encryption key rotation Example encryption key management

Workato key management generates a new encryption key Key1 when needed.

  • For next hour, the newly generated encryption key Key1 is considered the active key and is used to encrypt the data from Job1 and Job2
  • At the end of one hour, Key1 becomes inactive and a new active encryption key is generated (Key2).
  • Key2 is used to encrypt data beginning at 10:00 AM for Job3 and Job4
  • Key1 becomes inactive and is then used only for decrypting data
  • Similarly, Key2 becomes inactive at 11:00 AM and is used only for decrypting data
  • When the data retention period for a specific hourly batch of jobs ends, the encryption key is erased and the encrypted data storage is reclaimed.

Do I need to do anything to get these encryption features?

The encryption features mentioned here are completely transparent and automatic for Workato customers.