|This help topic applies to Appian Cloud users only.|
The Bring Your Own Key (BYOK) feature is available to customers that are on Premier Support. Appian customers must purchase Premier Support to use the functionality described below. The functionality described below is not included in the base Appian platform.
The purpose of this article is to give a high-level overview of the setup process to enable BYOK in Appian Cloud.
Appian Cloud customers can use their own Encryption Keys to secure the disk that stores their data. Appian Cloud sites can use a key from a AWS CloudHSM Hardware Security Module (HSM) hosted inthe customer’s AWS Virtual Private Cloud (VPC). With the introduction of BYOK, customers now have the decryption control of the disk that contains their data. Appian Cloud’s BYOK capability is currently only supported for AWS CloudHSM.
Data encryption is accomplished using two different encryption keys: (1) the Key Encryption Key and (2) the Data Encryption Key (DEK). The KEK encrypts the DEK which in turn is used to encrypt the data on the disk. With BYOK, customers will be able to use both keys hosted in their AWS HSM.
To communicate with the customer’s AWS CloudHSM instance, AWS puts an Elastic Network Interface (ENI) in a subnet inside the AWS customer account. The ENI can interact with the HSM residing in a separate VPC in an AWS account that is owned by AWS CloudHSM. Appian Cloud servers will communicate with the customer VPC via an IPSEC tunnel. Then, Appian Cloud servers hosting the encrypted disk with customer data establish an end-to-end Transport Layer Security (TLS) connection with the HSM to perform the API calls.
The following diagram represents the connection between Appian Cloud and AWS CloudHSM:
The table below lists the tasks that the customer needs to perform and the typical role in your organization to be involved in this process. Roles may vary depending on your organization.
|Prerequisite||Description||Role in customer organization|
|1. Premier Support||This feature is available via Premier Support||Business relationship owner|
|2. Set up AWS CloudHSM cluster||Customer sets up a CloudHSM cluster in their AWS account. Refer to AWS documentation.||Information Security team|
|3. Generate DEK and KEK||Customer generates a DEK and KEK in their Cloud HSM. Both keys should. be generated as 256-bit AES symmetric keys with a size of 32 bytes (see genSymKey docs). The KEK should be generated by a different Crypto User account than the one that will be shared with Appian. See Step 5.||Information Security team|
|4. Wrap DEK with KEK||Customer wraps the DEK with the KEK directly in the Cloud HSM using the wrapKey function (refer to key_mgmt_util tool documentation)||Information Security team|
|5. Collect Authentication Material|| Customers provides the following details and encrypts all files using a public key generated by Appian:
||Information Security team|
|6. Set up IPSec VPN tunnels to Customer VPC||Customers are required to establish IPSec VPN tunnels between Appian Cloud instances with BYOK enabled and the customer’s Virtual Private Cloud (VPC) where the CloudHSM cluster is hosted. Each node in the Appian Cloud instance should have connectivity with the CloudHSM ENI over the appropriate ports.||Network Administrator / Authorized support contact|
Once all prerequisites have been met:
The steps below assume that you will be generating on a Linux/Unix system using GNU Privacy Guard (GPG) encryption utility. Refer to the software documentation for instructions on how to install this utility in your system.
gpg --import appianCloud_pub.gpg
cryptouser_username=kekRetriever cryptouser_password=XXXXXXXXXXXXXXXXXXX issuing_certificate: -----BEGIN CERTIFICATE----- .... ...Your certificate contents here... .... -----END CERTIFICATE----- kek_key_handke: Y cloudhsm_ip_address: 172.X.X.X cloudhsm_partition: hsm000000
auth_material.txtand the generated wrapped key (Prerequisite 4).
gpg -e -r KEY_ID auth_material.zip
auth_material.zip.gpg). Share this file with Appian via support case.
The following diagram explains step-by-step the flow between the Appian Cloud and AWS CloudHSM to use the Key Encryption Key hosted in the HSM:
Please contact Appian Support if you desire to use BYOK in your sites.
This is supported. All data from the existing site will need to be moved to a new disk that will be encrypted with the new encryption key. Consequently, this requires close coordination during this transition.
Appian Cloud will only store the wrapped Data Encryption Key. The DEK is unwrapped using the KEK that is stored in the HSM and the unwrap operation happens directly in the HSM. If the Appian Cloud site is unable to unwrap the Data Encryption Key, Appian won’t be able to decrypt the disk storing the customer’s data and the site will be unavailable.
The Key Encryption Key is only used when unwrapping the Data Encryption Key and the Key Encryption Key is not used after the disk is open. The Data Encryption Key will remain present in kernel memory for read and write operations.
If the customer loses the key, all the data, including all backups, would be unrecoverable.
Appian Cloud’s BYOK capability is currently only supported for AWS CloudHSM.