Search

Generate or Upload Your Encryption Keys

ENCRYPTION ADMINS ONLY

As an Encryption Administrator, you can:

  • Generate your encryption keys directly from the key manager device.
  • Upload keys generated from an external crypto management application.
  • Upload a wrapped key.
Notes:
  • The geographic location to which a key relates is shown in the Data Center column.
  • When you generate or upload a key, it is created in a specific geographic region and only operates on data in that region. For instance, if the data you want to encrypt is in the European Union, the encryption keys for that data are created in the European Union. Encryption keys only operate on the data in the region to which they belong and are not synchronized with other regional clusters.

Generate and Upload Symmetric Keys

To generate or upload keys:

  1. In the Anaplan Administration sidebar, under BYOK, select Encryption Keys.
  2. Click Add Key.

    The Add Encryption Key dialog appears:

  3. If you want to generate a key, click Generate New Key. If not, see step 5.
    1. Give your key an alias — a name that will help you identify it later.
      Note: The Key Alias must:
      • Contain a maximum of 40 alpha-numeric characters
      • Begin with a letter
      • Contain no spaces, or any of these characters: ?:;|!@#$%^&*<=>+(){}~,\/[]'".

    2. If required, change the Reminder Date.
    3. Click Generate Key.
  4. If you want to upload an externally generated key in a compatible format, click Import Existing Key. The key must be an AES-256 symmetrical key. 

    In the Import Existing Encryption Key dialog:

    1. Enter the alias of the key you want to upload.
    2. Paste the key in hexadecimal into the Hex Key field. The Data Center field is unavailable.
    3. If required, change the Reminder date.
    4. Click Import Key.

Using Wrapped Keys

Anaplan supports generation and export of keys used in asymmetric key encapsulation, or key wrapping, for additional security.

The process is:

  1. Generate and export an asymmetric key for use in later wrapping of your symmetric key. See Create and export an Asymmetric Key.
  2. Generate an AES-256 symmetric key on your Hardware Security Module (HSM). As this process is specific to your device, carry out this step outside of Anaplan.
  3. Wrap the symmetric key with the asymmetric key. As this process is specific to your device, carry out this step outside of Anaplan. See Wrap your Symmetric Key with the Asymmetric Key.
  4. Import the wrapped key into Anaplan. See Import the Wrapped Key below.

Generate and Export an Asymmetric Key

ENCRYPTION ADMIN ONLY

To create and export an asymmetric key:

  1. In the Anaplan Administration sidebar, under BYOK, select Asymmetric Keys.
  2. Click Add Key.

  3. Name the key and give it a description. The algorithm used for the key generation is always RSA-2048.

  4. Select the key to export.
  5. Click Export.

  6. In the Save File dialog, click Save.

Wrap your Symmetric Key with the Asymmetric Key

This step is performed by the customer outside of Anaplan.

  1. Use your Hardware Security Module (HSM) to generate an AES-256 symmetric key.
  2. Use your HSM to wrap the symmetric key with the asymmetric key exported from Anaplan.
  3. Use the RSA-OAEP padding mechanism to wrap your key.
  4. Set the Hash Padding Algorithm to SHA256, SHA384, or SHA512.
  5. Set the Mask Generator to SHA256, SHA384, or SHA512.
  6. After the key is wrapped, ensure that the key is base64 encoded.
  7. Create a text file and enter the following information:
    Information to EnterValueDescription
    HashAlgo:

    SHA256, SHA384, or SHA512

    (Optional) The Hash Padding Algorithm used in the HSM.

    If not specified, the default is SHA256.

    MaskGenHashAlgo:SHA256, SHA384, or SHA512

    (Optional) The Mask Generator used in the HSM.

    If not specified, the default is SHA256.

    Secret:(The base64 encoded wrapped key)Your wrapped key. If you have not specified a Hash Padding Algorithm or Mask Generator, then Secret: must be at the top of the page.
  8. Save your changes. This is the file you will upload to Anaplan in the Import the Wrapped Key step below.

For example (text wrapped for display purposes only):

HashAlgo: SHA512
MaskGenHashAlgo: SHA512
Secret: tlPE23P3jlxPHniXYYTr32NP0XY761NYhknIbY0H1s2
yTxDFmIDBJbLJgJzC7PUAh6vgXMw+/FJ1TpZ0chl6SsEenj0WAN
c0qlf9XHI2205g96YZ2A2hBOTn0kGjdY9BLhbNPQZoLFq/LlVFZ
WXQmjSio02oGfQFyFcwNpnmKGlHtZg3zASpaEaOc0Qba2hQBoUS
6aJb5/02fqhzOkAjpVU+NRmaRkS8KY5ObutDtmftwuTvguBNCBq
VF1HVHGKkJz70/mQO4dHoL4T97URyDs2xtGesrJM2GVGv6CENU5
CdukimdZznrq6aIYumvKPMdr/8DBKDVTbQBzVfjBL7Hg==
Note: Anaplan ignores any other content in the wrapped payload.

Import the Wrapped Key

ENCRYPTION ADMIN ONLY

Import the wrapped key.

  1. In the Anaplan Administration sidebar, under BYOK, select Encryption Keys.
  2. Click Add Key.
  3. In the Add Encryption Key dialog, click Import Wrapped Key.

  4. Finalize the import:

    • Select the asymmetric key you used to wrap the symmetric key.
    • Name the symmetric key for the Key Alias.
    • Set the Reminder Date. The default is 1 year.
    • Upload the wrapped key.
  5. Click Import Key.