As an Encryption Administrator, you can:

  • Generate your encryption keys directly from the key manager device.
  • Upload keys generated from an external crypto management application.
  • Upload a wrapped key.
  • The geographic location to which a key relates is shown in the Data Center column.
  • When you generate or upload a key, it is created in a specific geographic region and only operates on data in that region. For instance, if the data you want to encrypt is in the European Union, the encryption keys for that data are created in the European Union. Encryption keys only operate on the data in the region to which they belong and are not synchronized with other regional clusters.

Generate and Upload Symmetric Keys

To generate or upload keys:

  1. In the Anaplan Administration sidebar, under BYOK, select Encryption Keys.
  2. Click Add Key.

    The Add Encryption Key dialog appears:

  3. If you want to generate a key, click Generate New Key. If not, see step 5.
    1. Give your key an alias — a name that will help you identify it later.
      Note: The Key Alias must:
      • Contain a maximum of 40 alpha-numeric characters
      • Begin with a letter
      • Contain no spaces, or any of these characters: ?:;|!@#$%^&*<=>+(){}~,\/[]'".

    2. If required, change the Reminder Date.
    3. Click Generate Key.
  4. If you want to upload an externally generated key in a compatible format, click Import Existing Key. The key must be an AES-256 symmetrical key. 

    In the Import Existing Encryption Key dialog:

    1. Enter the alias of the key you want to upload.
    2. Paste the key in hexadecimal into the Hex Key field. The Data Center field is unavailable.
    3. If required, change the Reminder date.
    4. Click Import Key.

Using Wrapped Keys

Anaplan supports generation and export of keys used in asymmetric key encapsulation, or key wrapping, for additional security.

The process is:

  1. Generate and export an asymmetric key for use in later wrapping of your symmetric key. See Create and export an Asymmetric Key.
  2. Generate an AES-256 symmetric key on your Hardware Security Module (HSM). As this process is specific to your device, carry out this step outside of Anaplan.
  3. Wrap the symmetric key with the asymmetric key. As this process is specific to your device, carry out this step outside of Anaplan. See Wrap your Symmetric Key with the Asymmetric Key.
  4. Import the wrapped key into Anaplan. See Import the Wrapped Key below.

Generate and Export an Asymmetric Key


To create and export an asymmetric key:

  1. In the Anaplan Administration sidebar, under BYOK, select Asymmetric Keys.
  2. Click Add Key.

  3. Name the key and give it a description. The algorithm used for the key generation is always RSA-2048.

  4. Select the key to export.
  5. Click Export.

  6. In the Save File dialog, click Save.

Wrap your Symmetric Key with the Asymmetric Key

This step is performed by the customer outside of Anaplan.

Note: If you encounter difficulties importing the asymmetric key into your Hardware Security Module, review Troubleshoot Wrapped Key Issues for some tips on how to address common issues.
  1. Use your Hardware Security Module (HSM) to generate an AES-256 symmetric key.
  2. Use your HSM to wrap the symmetric key with the asymmetric key exported from Anaplan.
    • Do not include headers in your wrapped key.
    • Use the RSA-OAEP padding mechanism to wrap your key.
    • Set the Hash Padding Algorithm to SHA256, SHA384, or SHA512.
    • Set the Mask Generator to SHA256, SHA384, or SHA512.
  3. After the key is wrapped, ensure that the key is base64 encoded.
  4. Create a text file and enter the following information:
    Information to Enter Value Description

    SHA256, SHA384, or SHA512

    (Optional) The Hash Padding Algorithm used in the HSM.

    If not specified, the default is SHA256.

    MaskGenHashAlgo: SHA256, SHA384, or SHA512

    (Optional) The Mask Generator used in the HSM.

    If not specified, the default is SHA256.

    Secret: (The base64 encoded wrapped key) Your wrapped key. If you have not specified a Hash Padding Algorithm or Mask Generator, then Secret: must be at the top of the page.
  5. Save your changes. This is the file you will upload to Anaplan in the Import the Wrapped Key step below.

For example (text wrapped for display purposes only):

HashAlgo: SHA512
MaskGenHashAlgo: SHA512
Secret: tlPE23P3jlxPHniXYYTr32NP0XY761NYhknIbY0H1s2
Note: Anaplan ignores any other content in the wrapped payload.

Import the Wrapped Key


Import the wrapped key.

Note: Wrapped keys must not contain carriage returns or new line entries. Before you import your wrapped key, examine the file in a text editor to ensure there are no carriage returns or new line entries in your wrapped key file.
  1. In the Anaplan Administration sidebar, under BYOK, select Encryption Keys.
  2. Click Add Key.
  3. In the Add Encryption Key dialog, click Import Wrapped Key.

  4. Finalize the import:

    • Select the asymmetric key you used to wrap the symmetric key.
    • Name the symmetric key for the Key Alias.
    • Set the Reminder Date. The default is 1 year.
    • Upload the wrapped key.
  5. Click Import Key.

Troubleshoot Wrapped Key Issues

By default, BYOK exports a plain asymmetric key. Some HSMs expect an asymmetric key formatted for Public Key Cryptography Standards (PCKS)#1. If you get an error indicating your import or key are not readable, try to insert a PCKS#1 header into the exported asymmetric key.

Note: This procedure is designed to work on Linux or MacOS machines. You must have openssl installed to run this procedure.
  1. Create a bash script that contains the following:
    # Convert exported asymmetric key to PKCS1 format # The command below changes the PUBLIC KEY label # to display as RSA PUBLIC KEY.
    sed -e "s/PUBLIC KEY/RSA PUBLIC KEY/g" $1 > $1.pkcs8.pem # The command below adds the header to the encrypted key.
    openssl rsa -RSAPublicKey_in -in $1.pkcs8.pem -pubout > $1.pkcs1.pem
  2. Save the script to the same directory where you have your asymmetric key from BYOK.
  3. Make the script executable.
    chmod +x <script name>
    Where <script name> is the name of the bash script.
  4. Open a terminal and run the script against the asymmetric key:
    <script file> <asymmetric key file>
    For example, if your script is named convertPublicKey.sh and the key file is named myPublicKey.pem, the command is:
    sh convertPublicKey.sh myPublicKey.pem

This generates a two pem files. One has a pkcs8.pem suffix and one has a pkcs1.pem suffix. For example, if you convert myPublicKey.pem, the script outputs myPublicKey.pem.pkcs8.pem and myPublicKey.pem.pkcs1.pem.

Import the file with the pkcs1.pem suffix into your HSM.


We update Anapedia regularly to provide the most up-to-date instructions.