Manage your encryption keys (BYOK)
Manage your encryption keys (BYOK)
Coveo is always striving to meet the needs of its most security-conscious customers. Therefore, it offers bring-your-own-key (BYOK) encryption of its index data as a security enhancement.
|
BYOK encryption is in open beta. Contact your Coveo representative for support in adopting it. |
This page explains how to create your own encryption keys in AWS KMS, bring them to Coveo, and how to manage these keys afterwards.
For details about how encryption works at Coveo, see Bring-your-own-key (BYOK) data encryption at Coveo.
Key requirements
To encrypt your Coveo index data at rest, you must provide a key that meets the following requirements:
-
It’s provisioned by AWS Key Management Service (KMS).
-
It can perform the following actions:
kms:CreateGrant kms:Decrypt kms:DescribeKey kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyWithoutPlaintext
Your Coveo representative will provide you with the region in which you should create your primary key and the regions in which you should create replicas.
Add an encryption key to Coveo
To encrypt your index data at rest with your own key, you must first create the key in AWS KMS. Coveo has created AWS CloudFormation templates for you to use.
Then, you’ll enter your key in the Encryption keys (BYOK) (platform-ca | platform-eu | platform-au) subtab of the Settings page, and activate it.
|
You’re solely responsible for storing, managing, and safeguarding your keys. Coveo doesn’t have access to your keys and can’t recover them for you. See What are my responsibilities? for more information. |
-
Contact your Coveo representative to activate BYOK encryption for your organization and determine in which regions the primary key and its replicas should be created.
-
Use the AWS Management Console or the AWS Command Line Interface (CLI) to deploy the templates and create the keys.
-
For organizations in the production environment, use this AWS CloudFormation primary key template and this AWS CloudFormation replica key template.
-
For organizations in the HIPAA environment, use this AWS CloudFormation HIPAA primary key template and this AWS CloudFormation HIPAA replica key template.
-
-
In the Coveo Administration Console, on the Encryption keys (BYOK) (platform-ca | platform-eu | platform-au) subtab of the Settings page, click Add key.
-
Under Encryption key, enter your AWS KMS key.
-
Select whether you want to activate the key right now. An active key is one that Coveo uses to encrypt your index data at rest. For details on key status, see About encryption key status and use.
-
Click Save. If you’ve activated the key, Coveo immediately starts using it to encrypt your index data at rest. If you haven’t activated the key, it will be saved as inactive and can be activated later.
About encryption key status and use
You can see the status of your encryption keys in the Encryption keys (BYOK) (platform-ca | platform-eu | platform-au) subtab of the Settings page. Encryption keys can be either active or inactive, and in use or not.
An active key is one that is currently used to encrypt your index data at rest. There can only be one active key at a time.
An inactive key is one that is not currently used to encrypt data in your Coveo organization, either because it was deactivated or because it was never activated. A key that’s been deactivated is still used to decrypt the backups that were previously encrypted with it, until they’re all expired. An inactive key can be reactivated at any time.
A key is in use if it’s been used to encrypt your index data at rest, including index backups. A key is not in use if it’s never been used to encrypt your index data at rest, or if it was deactivated and all the backups that were encrypted with it have expired.
Rotate an encryption key
Rotating an encryption key means replacing the current active key with a new one, either automatically or manually. This helps protect your data as it limits the amount of data encrypted with a single key.
Coveo recommends you enable KMS automatic key rotation in AWS. This rotation process is transparent to Coveo, so you don’t have to do anything in the Coveo Administration Console.
With automatic key rotation enabled in AWS, you don’t need to manually rotate your encryption key in Coveo on a regular schedule. However, you might still choose to rotate a key on occasion, for example if you suspect it’s been compromised.
To rotate an encryption key manually, add a new key and activate it.
As you activate your new key, the previous active key will become inactive. You can safely delete your previous key once it’s no longer in use, that is, once all index backups that were encrypted with it have expired.
About deleting an encryption key
You may want to delete an encryption key if it’s no longer in use or if you suspect that it’s been compromised.
|
When you delete a key, Coveo permanently loses access to index backups encrypted with it. Therefore, Coveo recommends that you only delete a key once it’s no longer in use, that is, once all the backups that were encrypted with it have expired. |
If you delete your active key, Coveo reverts to using its default encryption key until you activate another key. See Bring-your-own-key (BYOK) data encryption at Coveo for details on how Coveo encrypts your data.
Required privileges
The following table indicates the privileges required to view or edit the encryption keys you brought to Coveo on the Settings (platform-ca | platform-eu | platform-au) page. See Manage privileges and Privilege reference for details.
Action | Service - Domain | Required access level |
---|---|---|
View encryption keys |
Organization - Organization |
View |
Organization - Customer keys |
View |
|
Edit encryption keys |
Organization - Organization |
View |
Organization - Customer keys |
Edit |