Frequently asked questions about customer-managed keys (CMK)

I can't see the Security tab on the Settings page even though my organization has the appropriate license. Why not?

Log in to Informatica Intelligent Cloud Services with a user account that has both the Admin and Key Admin roles. If you don't have both roles, you can't see the Security tab.

For more information about user roles, see User Administration.

When I clicked Test Managed Key in on the Settings page, the test failed. What should I do?

If you get an error when testing the key, perform the following checks:

• - In Administrator, verify that the key settings on the Settings page match the settings for the CMK in your cloud KMS.
• - In your cloud KMS, verify that the status of the CMK is active.
• - In your cloud KMS, verify that the permissions on the CMK allow Informatica cryptographic access to the key.

If you continue to encounter errors, contact Informatica Global Customer Support.

What happens if the CMK is rotated in my KMS?

You can rotate the key in your cloud KMS manually or on a schedule. Rotating a key creates a new version of the key. The old version of the key remains in your cloud KMS and is used for decryption only.

Informatica Intelligent Cloud Services detects key rotation on Azure Key Vault and Google Cloud KMS. When the CMK is rotated, Informatica Intelligent Cloud Services decrypts your organization's keys using the old CMK and then encrypts them using the new CMK.

Informatica Intelligent Cloud Services cannot detect key rotation on AWS KMS. If you use AWS KMS, you'll need to disable customer-managed keys in Informatica Intelligent Cloud Services and reenable it. To do this, perform the following steps:

1. 1On the Settings page in Administrator, click the Security tab and note the Key ARN and Role ARN.
2. 2Disable the Enable Customer Managed Keys option.
3. 3Enable the Enable Customer Managed Keys option, reenter the key ARN and role ARN, and click the save icon.

What if I need to update the CMK in my KMS?

If you need to update the CMK, first provision a new CMK in your cloud KMS. Then update the key details on the Settings page in Administrator.

Note: Be sure to keep the old version of the CMK in your cloud KMS active until you update the key details in Administrator.

You can delete the old version of the CMK in your cloud KMS after you update the key details on the Settings page.

What if I want Informatica to manage key encryption?

If you want Informatica to manage key encryption, you can disable the Enable Customer Managed Keys option on the Settings page in Administrator:

When you do this, be sure to keep the current version of the CMK in your cloud KMS active. If the CMK is not active, disabling customer-managed keys fails.

When you disable this option, your organization's encryption keys are once again encrypted using encryption keys that are managed by Informatica. It can take up to 10 minutes for the Informatica encryption keys to become active.

You can disable or delete the CMK in your cloud KMS after you disable the Enable Customer Managed Keys option in Administrator.

What if I want to temporarily revoke Informatica's access to the CMK?

If you want to temporarily revoke Informatica's access to the CMK, you can disable the key in your cloud KMS.

When you disable the CMK, Informatica Intelligent Cloud Services can no longer unencrypt your organization's encrypted data, and any jobs that use the data will fail until you reactivate the CMK in your cloud KMS.

How do I replace the CMK if I suspect it has been compromised?

If you want to replace the CMK, you can delete the key in your cloud KMS and create a new one.

Warning: Deleting the CMK in your cloud KMS results in permanent loss to any encrypted data in Informatica Intelligent Cloud Services and causes the jobs that use the data to fail.

If you need to replace the CMK, perform the following steps so that you don't lose access to the encrypted data and jobs don't fail:

1. 1In Administrator, open the Settings page, click the Security tab, and disable the Enable Customer Managed Keys option.
2. 2In your cloud KMS, delete the CMK.
3. 3In your cloud KMS, create a new CMK.
4. 4On the Settings page in Administrator, re-enable the Enable Customer Managed Keys option and enter the details for the new CMK.

Can I delete the CMK if I don't want Informatica to access any of my encrypted data?

Warning: Deleting the CMK in your cloud KMS results in permanent loss to any encrypted data in Informatica Intelligent Cloud Services and causes the jobs that use the data to fail.

If you're sure that you want Informatica to forgo all access to your encrypted data in Informatica Intelligent Cloud Services, you can delete the CMK in your cloud KMS.

What happens if I revoke my CMK?

It is critical that you disable the CMK option from Administrator before revoking your CMK. Otherwise, your organization will be disabled and users can't log in. At this point, it's no longer possible to disable the CMK option because you can't access Administrator.

Requests authenticated using existing JWT tokens will continue to be honored until the tokens expire. Some jobs or processes that were already running at the time of revocation might continue to execute.

To disable the CMK option, clear the check box for Enable Customer Managed Keys, as described in Creating and enabling a customer-managed key.

To restore your organization to normal operation, replace your revoked key with a new valid key.

What is the service level agreement after revoking a CMK?

If a CMK is revoked without first being disabled from Administrator, Informatica Intelligent Cloud Services will invalidate all active sessions within 10 minutes. Attempts to log in to the organization will fail until the CMK is reactivated in the customer's cloud KMS account.

What is the impact of a POD's disaster recovery on a CMK?

Once the disaster recovery process is complete, organizations with customer-managed keys resume normal operation and will honor the CMK status, whether active or disabled.