1. Administration and security
  2. Bring Your Own Key
  3. Encrypt a Workspace with One of Your Encryption Keys

ENCRYPTION ADMINS ONLY

You can exclusively own and manage data encryption in your tenant by assigning encryption keys to individual workspaces. Once assigned to a workspace, the key is used to encrypt every model (or file) in the workspace when the data is at rest.

Warning: Think carefully before encrypting a workspace. Only an Encryption Administrator can unassign a key from a BYOK-encrypted workspace and return it to default master key encryption. No mechanism exists for Anaplan employees to access your keys. As a result, Anaplan employees are unable to encrypt or decrypt your workspaces on your behalf.

Considerations for First Time Encryption

Consider the following points before encrypting a workspace with one of your encryption keys for the first time.

  • Workspace encryption or decryption should be considered as a maintenance operation that requires downtime.
  • Since Anaplan's BYOK solution only encrypts model data at rest, encryption or decryption will not be possible if any users are logged in or using models within the workspace to be encrypted.
  • It can take a long time to encrypt a workspace for the first time, especially if the workspace is large.
  • When workspace encryption is in progress, models in the workspace do not appear on the Tiles screen. They are taken offline temporarily.
  • In ordinary use, models in a BYOK-encrypted workspace are accessible from Tiles as usual.
  • Disable scheduled integrations while a workspace is being encrypted. Models in a workspace are not available during an encryption event.

Assign a Key to a Workspace

  1. In the Anaplan Administration sidebar, under BYOK, select Workspaces.
  2. Select the workspace you want to assign one of your keys to, then click Assign Key.
    • You can assign a key to any workspace that has a State of Ready, a BYOK status of Not Encrypted, and a blank value for
      Assigned Key.
    • The Event Start and Event End columns show when a workspace encryption event started and when it completed. An encryption event starts when you assign an encryption key. The encryption event ends when the workspace is encrypted.
    • Click Refresh to get the latest state of every workspace.
  3. In the Assign your Encryption Key dialog:

  4. Select the Encryption Key that you want to use to encrypt the selected workspace.
  5. If you're certain you want to go ahead and encrypt your model data using your key, click Assign Key.

You can view the progress of the encryption at BYOK > Workspaces, in the BYOK column. When the BYOK status changes to Encrypted, the workspace remains in an encrypted state with the assigned key.

Ready Workspaces

In BYOK > Workspaces, the State column indicates whether workspaces are ready for encryption using one of your keys. Keys generated or uploaded using BYOK can only be used to encrypt workspaces in a Ready state. For example:

In a Ready workspace:

  • No logged in users are accessing models.
  • Models have been inactive for some time and are no longer active in memory.

If the status of a particular workspace doesn't change to Ready, contact Support and request that they unload the workspace.