Encryption Administrators can decrypt a workspace.
When you unassign an encryption key from a workspace, that workspace immediately returns to encryption using the system master key. There are a few scenarios where you might want to unassign a key:
- Your key rotation policy states that you must rotate your keys between BYOK-encrypted workspaces at fixed intervals.
- The workspace is no longer required to be encrypted with a BYOK key.
All model data within a workspace remains encrypted during the process of unassigning keys.
To unassign a key from a workspace:
- Access Administration from the Application menu.
- Select BYOK > Workspaces.
- Select a workspace with a BYOK status of Encrypted.
- Select Unassign Key.
- In the Unassign Your Encryption Key dialog, if you're certain you want to go ahead and decrypt the workspace using your key, select Unassign Key.
You can view the progress of the decryption at BYOK > Workspaces, in the BYOK column. When the decryption completes, the status changes to Not Encrypted. The workspace is now encrypted with the system master key.