Update to Encryption Standard of BYOK

We will be making enhancements to the encryption service that forms the core functionality of our Bring Your Own Key (BYOK) offering. 

To prepare for future capabilities, it's imperative that BYOK moves toward a more secure encryption standard.

What's changing?

All new symmetric keys that are either created or imported will require a version of AES called “CBC-CS1”. This change will have no impact to your existing encrypted workspaces, nor will it impact asymmetric keys (For example, public keys) that you export. However, any new symmetric keys that you create or import will have this standard. This includes any key rotations that you have planned after this change takes place.

If you import and wrap symmetric keys, you can find instructions under Create and manage encryption keys in Anapedia. If you import keys to BYOK, you will only be able to use AES keys that use the AES-CBC-CS1 algorithm. Due to the nature of this algorithm, you will need to generate two AES-CBS-CS1 keys. Anaplan will no longer support the previous algorithm

What are the benefits?

• AES-CBC-CS1 uses cipher-text stealing to encrypt the last partial block of a file whose size isn't aligned with 16 bytes.
• Each file encrypted with an AES-CBC-CS1 key is associated with a unique and random base IV.
• AES-CBC-CS1 implements a secure algorithm to tweak the IV used for each segment (512 bytes) of a file.
• AES-CBC-CS1 encryption only applies to file system directories.
• AES-CBC-CS1 encryption uses a unique and random/unpredictable IV (initialization vector) generated for each individual file, and the per-file IV object is generated only at file creation time and stored as file metadata. This has made it superior to any existing AES-CBC mode.
• AES-CBC-CS1 encryption supports both live and offline data transformation.

Will I have to take any action?

Most of the previous functionality within BYOK will require no action, this includes API capabilities.

We have highlighted changes that users should make gradually to current encryption keys and workspaces:

• All existing keys and keys prepared in the old standard will be indicated as ‘AES256’ in our repository. ‘AES256-CBC-CS1’ indicates new keys.
• Currently, encrypted workspaces won't be impacted by the change.
• Unsupported attempts to encrypt or key rotation to ‘AES256’ keys will appear as an error with a message displayed.
• Encryption admins must prepare for keys in the new standard for key imports following the procedure that will be detailed on Anapedia, incorrect key materials will result in failure in import.

Information around steps that are required to mandate this change will be posted on Anapedia in the coming months.