You can use your own master key to encrypt your organization's encryption keys.
By default, Informatica Intelligent Cloud Services protects your organization's sensitive data in the cloud using organization-specific encryption keys that are generated and stored in the Informatica Intelligent Cloud Services key management service (KMS). To prevent malicious access, the keys are encrypted using a master key that is stored in the cloud provider's KMS.The master key is provisioned in Informatica's KMS account and varies by POD.
If you prefer, you can create a customer managed key (CMK). When you create a CMK, you control access to it. However, you'll need to grant Informatica Intelligent Cloud Services access to the CMK so that it can encrypt and decrypt your organization's sensitive data.
Creating a CMK offers the following benefits:
•You can restrict and control any access to your data.
•You can restrict the decryption of your data in the event of a data breach.
•You create and hold the key material in your KMS. The key is never exposed to your cloud service provider.
•You maintain full control of the key throughout its lifecycle. You can revoke access or delete the key at any time.
The following image shows how Informatica Intelligent Cloud Services interfaces with your CMK:
1Informatica Intelligent Cloud Services interfaces with the Informatica Intelligent Cloud Services KMS agnostically.
2Non-customer managed keys go to Informatica's cloud KMS.
You can create and enable a CMK when you use the following cloud providers' key management services:
•Amazon Web Services
•Microsoft Azure
•Google Cloud
Note: When you create a CMK, your KMS and Informatica Intelligent Cloud Services POD must use the same cloud provider. For example, if your Informatica Intelligent Cloud Services POD is USW1 on AWS, then you must store your CMK in AWS KMS. You can't store it in Google Cloud KMS or Azure Key Vault.
Creating and enabling a customer managed key
To create and enable a customer managed key, provision the key in your KMS and then enable customer managed keys in Administrator.
Note: The steps you perform to create and enable a CMK vary based on your cloud provider. For specific instructions, see the following H2L articles:
1In your cloud KMS, provision the key and enable cross-account access with Informatica Intelligent Cloud Services.
2In Administrator, open the Security tab on the Settings page, enable the Enable Customer Managed Keys option, and enter the key properties.
Note: To perform this step, you must log in to Informatica Intelligent Cloud Services with a user account that has both the Admin and Key Admin roles.
You can test the key after you configure the key properties. It can take up to 24 hours for the key to become active.
After you create and enable a CMK, you can revoke it at any time by disabling the Enable Customer Managed Keys option on the Security tab. When you do this, you'll go back to using Informatica's master key.
Frequently asked questions about customer managed keys
I can't see the Security tab on the Settings page even though my organization has the appropriate license. Why not?
Log in to Informatica Intelligent Cloud Services with a user account that has both the Admin and Key Admin roles. If you don't have both roles, you can't see the Security tab.
For more information about user roles, see User Administration.
When I clicked Test Managed Key in on the Settings page, the test failed. What should I do?
If you get an error when testing the key, perform the following checks:
- In Administrator, verify that the key settings on the Settings page match the settings for the CMK in your cloud KMS.
- In your cloud KMS, verify that the status of the CMK is active.
- In your cloud KMS, verify that the permissions on the CMK allow Informatica cryptographic access to the key.
If you continue to encounter errors, contact Informatica Global Customer Support.
What happens if the CMK is rotated in my KMS?
You can rotate the key in your cloud KMS manually or on a schedule. Rotating a key creates a new version of the key. The old version of the key remains in your cloud KMS and is used for decryption only.
Informatica Intelligent Cloud Services detects key rotation in Azure Key Vault and Google Cloud KMS. When the CMK is rotated, Informatica Intelligent Cloud Services decrypts your organization's keys using the old CMK and then encrypts them using the new CMK.
Informatica Intelligent Cloud Services cannot detect key rotation in AWS KMS. If you use AWS KMS, you'll need to disable customer managed keys in Informatica Intelligent Cloud Services and reenable it. To do this, perform the following steps:
1On the Settings page in Administrator, click the Security tab and note the Key ARN and Role ARN.
2Disable the Enable Customer Managed Keys option.
3Enable the Enable Customer Managed Keys option, reenter the key ARN and role ARN, and click the save icon.
What if I need to update the CMK in my KMS?
If you need to update the CMK, first provision a new CMK in your cloud KMS. Then update the key details on the Settings page in Administrator.
Note: Be sure to keep the old version of the CMK in your cloud KMS active until you update the key details in Administrator.
You can delete the old version of the CMK in your cloud KMS after you update the key details on the Settings page.
What if I want Informatica to manage key encryption?
If you want Informatica to manage key encryption, you can disable the Enable Customer Managed Keys option on the Settings page in Administrator:
When you do this, be sure to keep the current version of the CMK in your cloud KMS active. If the CMK is not active, disabling customer managed keys fails.
When you disable this option, your organization's encryption keys are once again encrypted using encryption keys that are managed by Informatica. It can take up to 10 minutes for the Informatica encryption keys to become active.
You can disable or delete the CMK in your cloud KMS after you disable the Enable Customer Managed Keys option in Administrator.
What if I want to temporarily revoke Informatica's access to the CMK?
If you want to temporarily revoke Informatica's access to the CMK, you can disable the key in your cloud KMS.
When you disable the CMK, Informatica Intelligent Cloud Services can no longer unencrypt your organization's encrypted data, and any jobs that use the data will fail until you reactivate the CMK in your cloud KMS.
How do I replace the CMK if I suspect it has been compromised?
If you want to replace the CMK, you can delete the key in your cloud KMS and create a new one.
Warning: Deleting the CMK in your cloud KMS results in permanent loss to any encrypted data in Informatica Intelligent Cloud Services and causes the jobs that use the data to fail.
If you need to replace the CMK, perform the following steps so that you don't lose access to the encrypted data and jobs don't fail:
1In Administrator, open the Settings page, click the Security tab, and disable the Enable Customer Managed Keys option.
2In your cloud KMS, delete the CMK.
3In your cloud KMS, create a new CMK.
4On the Settings page in Administrator, re-enable the Enable Customer Managed Keys option and enter the details for the new CMK.
Can I delete the CMK if I don't want Informatica to access any of my encrypted data?
Warning: Deleting the CMK in your cloud KMS results in permanent loss to any encrypted data in Informatica Intelligent Cloud Services and causes the jobs that use the data to fail.
If you're sure that you want Informatica to forgo all access to your encrypted data in Informatica Intelligent Cloud Services, you can delete the CMK in your cloud KMS.
