Encryption Administrators can assign encryption keys to individual workspaces to own and manage data encryption in their tenant. Once assigned to a workspace, the key is used to encrypt every model (or file) in the workspace when the data is at rest.
Warning: Think carefully before you encrypt a workspace. Only an Encryption Administrator can unassign a key from a BYOK-encrypted workspace and return it to default master key encryption. No mechanism exists for Anaplan employees to access your keys. As a result, Anaplan employees are unable to encrypt or decrypt your workspaces on your behalf.
Considerations for first time encryption
Consider the following points before encrypting a workspace with one of your encryption keys for the first time.
- Workspace encryption or decryption should be considered as a maintenance operation that requires downtime.
- Since Anaplan's BYOK solution only encrypts model data at rest, encryption or decryption will not be possible if any users are logged in or using models within the workspace to be encrypted.
- It can take a long time to encrypt a workspace for the first time, especially if the workspace is large.
- When workspace encryption is in progress, models in the workspace do not appear on the Tiles screen. They are taken offline temporarily.
- In ordinary use, models in a BYOK-encrypted workspace are accessible from Tiles as usual.
- Disable scheduled integrations while a workspace is being encrypted. Models in a workspace are not available during an encryption event.
Assign a key to a workspace
To assign a key to a workspace:
- Access Administration from the Application menu.
- Select BYOK > Workspaces.
- Select the workspace you want to assign one of your keys to and then select Assign Key.
- You can assign a key to any workspace that has a State of Ready, a BYOK status of Not Encrypted, and a blank value for
Assigned Key. - The Event Start and Event End columns show when a workspace encryption event started and when it completed. An encryption event starts when you assign an encryption key. The encryption event ends when the workspace is encrypted.
- Select Refresh to get the latest state of every workspace.
- You can assign a key to any workspace that has a State of Ready, a BYOK status of Not Encrypted, and a blank value for
- In the Assign your Encryption Key dialog:
- Select the encryption key that you want to use to encrypt the selected workspace.
- If you're certain you want to go ahead and encrypt your model data using your key, select Assign Key.
You can view the progress of the encryption at BYOK > Workspaces, in the BYOK column. When the BYOK status changes to Encrypted, the workspace remains in an encrypted state with the assigned key.
Ready workspaces
In BYOK > Workspaces, the State column indicates whether workspaces are ready for encryption using one of your keys. Keys generated or uploaded using BYOK can only be used to encrypt workspaces in a Ready state.
In a Ready workspace:
- No logged in users can access models.
- Models that have been inactive for some time and are no longer active in memory.
If the status of a particular workspace doesn't change to Ready, contact Support and request that they unload the workspace.