English
  2. Administration and security
  3. Bring your own key (BYOK)
  4. Generate or upload your encryption keys
Bring your own key (BYOK)

Generate or upload your encryption keys

As an encryption administrator, you can:

  • Generate your encryption keys directly from the key manager device.
  • Upload keys generated from an external crypto management application.
  • Upload a wrapped key.

Notes:

  • The geographic location to which a key relates is shown in the Data Center column.
  • When you generate or upload a key, it is created in a specific geographic region and only operates on data in that region. For instance, if the data you want to encrypt is in the European Union, the encryption keys for that data are created in the European Union. Encryption keys only operate on the data in the region to which they belong and are not synchronized with other regional clusters.

Generate symmetric keys

To generate keys:

  1. Access Administration from the Application menu.
  2. Select BYOK > Encryption Keys.
  3. Select Add Key.
  4. Select Generate New Key.
  5. Enter a alias (name) for your key in the Key Alias field that will help you identify your key later.

Note: The Key Alias must:

  • Contain a maximum of 40 alpha-numeric characters.
  • Begin with a letter.
  • Contain no spaces, or any of these characters: ?:;|!@#$%^&*<=>+(){}~,\/[]'".
  1. If required, change the Reminder Date.
  2. Select Generate Key.

Upload symmetric keys

You can upload an externally generated key in a compatible format. The key must be an AES-256 symmetrical key.

To upload keys:

  1. Access Administration from the Application menu.
  2. Select BYOK > Encryption Keys.
  3. Select Add Key.
  4. Select Import Existing Key.
  5. Enter the alias of the key you want to upload in the Key Alias field.
  6. Paste the key in hexadecimal into the Hex Key field.
    The Data Center field is unavailable.
  7. If required, change the Reminder Date.
  8. Select Import Key.

Use wrapped keys

Anaplan supports generation and export of keys used in asymmetric key encapsulation, or key wrapping, for additional security.

The process is:

  1. Generate and export an asymmetric key for use in later wrapping of your symmetric key.
    See the Generate and export an asymmetric key section below.
  2. Generate an AES-256 symmetric key on your Hardware Security Module (HSM).
    As this process is specific to your device, carry out this step outside of Anaplan.
  3. Wrap the symmetric key with the asymmetric key.
    As this process is specific to your device, carry out this step outside of Anaplan.
    See the Wrap your symmetric key with the asymmetric key section below.
  4. Import the wrapped key into Anaplan.
    See the Import the wrapped key section below.

Generate and export an asymmetric key

Encryption Administrators can generate and export asymmetric keys.

To create and export an asymmetric key:

  1. Access Administration from the Application menu.
  2. Select BYOK > Asymmetric Keys.
  3. Select Add Key.
  4. Name the key and give it a description.
    The algorithm used for the key generation is always RSA-2048.
  5. Select Generate Key.
  6. Select the key to export.
  7. Select Export.
  8. Select Save.

Wrap your symmetric key with the asymmetric key

This step is performed by the customer outside of Anaplan.

Note: If you encounter difficulties importing the asymmetric key into your Hardware Security Module, review the Troubleshoot Wrapped Key Issues section below for some tips on how to address common issues.

To wrap your symmetric key with the asymmetric key:

  1. Use your Hardware Security Module (HSM) to generate an AES-256 symmetric key.
  2. Use your HSM to wrap the symmetric key with the asymmetric key exported from Anaplan.
    • Do not include headers in your wrapped key.
    • Use the RSA-OAEP  padding mechanism to wrap your key.
    • Set the Hash Padding Algorithm to SHA256, SHA384, or SHA512.
    • Set the Mask Generator to SHA256, SHA384, or SHA512.
  3. After the key is wrapped, ensure that the key is base64 encoded.
  4. Create a text file and enter the following information:
Information to EnterValueDescription
HashAlgo:SHA256, SHA384, or SHA512

(Optional) The Hash Padding Algorithm used in the HSM.

If not specified, the default is SHA256.

MaskGenHashAlgo:SHA256, SHA384, or SHA512

(Optional) The Mask Generator used in the HSM.

If not specified, the default is SHA256.

Secret:(The base64 encoded wrapped key)Your wrapped key. If you have not specified a Hash Padding Algorithm or Mask Generator, then Secret: must be at the top of the page.
  1. Save your changes. This is the file you will upload to Anaplan in the Import the Wrapped Key section below.
    For example (text wrapped for display purposes only):
    HashAlgo: SHA512
    MaskGenHashAlgo: SHA512
    Secret: tlPE23P3jlxPHniXYYTr32NP0XY761NYhknIbY0H1s2
    yTxDFmIDBJbLJgJzC7PUAh6vgXMw+/FJ1TpZ0chl6SsEenj0WAN
    c0qlf9XHI2205g96YZ2A2hBOTn0kGjdY9BLhbNPQZoLFq/LlVFZ
    WXQmjSio02oGfQFyFcwNpnmKGlHtZg3zASpaEaOc0Qba2hQBoUS
    6aJb5/02fqhzOkAjpVU+NRmaRkS8KY5ObutDtmftwuTvguBNCBq
    VF1HVHGKkJz70/mQO4dHoL4T97URyDs2xtGesrJM2GVGv6CENU5
    CdukimdZznrq6aIYumvKPMdr/8DBKDVTbQBzVfjBL7Hg==

Note: Anaplan ignores any other content in the wrapped payload.

Import the wrapped key

Encryption administrators can import the wrapped key.

Note: Wrapped keys must not contain carriage returns or new line entries. Before you import your wrapped key, examine the file in a text editor to ensure there are no carriage returns or new line entries in your wrapped key file.

To import the wrapped key:

  1. Access Administration from the Application menu.
  2. Select BYOK > Encryption Keys.
  3. Select Add Key.
  4. Select Import Wrapped Key.
  5. Select the asymmetric key you used to wrap the symmetric key from the Asymmetric Key dropdown.
  6. Enter a name for symmetric key in the Key Alias field.
  7. Set the Reminder Date.
    The default is 1 year.
  8. Upload the wrapped key.
  9. Select Import Key.

Troubleshoot wrapped key issues

By default, BYOK exports a plain asymmetric key. Some HSMs expect an asymmetric key formatted for Public Key Cryptography Standards (PCKS)#1. If you get an error indicating your import or key are not readable, try to insert a PCKS#1 header into the exported asymmetric key.

Note: This procedure is designed to work on Linux or MacOS machines. You must have openssl  installed to run this procedure.

To troubleshoot the wrapped key issues:

  1. Create a bash script that contains these commands:
    #!/bin/bash
    # Convert exported asymmetric key to PKCS1 format
    # The command below changes the PUBLIC KEY label
    # to display as RSA PUBLIC KEY.
    sed -e "s/PUBLIC KEY/RSA PUBLIC KEY/g" $1 > $1.pkcs8.pem
    # The command below adds the header to the encrypted key.
    openssl rsa -RSAPublicKey_in -in $1.pkcs8.pem -pubout > $1.pkcs1.pem
  2. Save the script to the same directory where you have your asymmetric key from BYOK.
  3. Make the script executable.
    chmod +x <script name>
    Where <script name> is the name of the bash script.
  4. Open a terminal and run the script against the asymmetric key:
    <script file> <asymmetric key file>
    For example, if your script is named convertPublicKey.sh and the key file is named myPublicKey.pem, the command is:
    sh convertPublicKey.sh myPublicKey.pem

This generates a two pem files. One has a pkcs8.pem suffix and one has a pkcs1.pem suffix. For example, if you convert myPublicKey.pem, the script outputs myPublicKey.pem.pkcs8.pem and myPublicKey.pem.pkcs1.pem.

Import the file with the pkcs1.pem suffix into your HSM.

Disclaimer

We update Anapedia content regularly to provide the most up-to-date instructions.