Enhanced Account Encryption

Enhanced Account encryption

Enhanced Account Encryption (EAE) works with Groundplexes. You generate private keys that aren't shared with SnapLogic. The UI encrypts credentials with a public key and the Groundplex decrypts it with the private key. Every Groundplex in the environment must be configured to use EAE.

To use EAE, an environment can't have a mixture of self-managed Snaplexes and those managed by SnapLogic. Before enabling EAE, work with your SnapLogic CSM to remove Cloudplexes from the environment (Org) or convert them to Groudplexes.

How EAE works

Snaplexes configured for Enhanced Account Encryption can be deployed on Windows or Linux operating systems. To enable EAE for nodes deployed on the Windows OS, you must first generate the datakeys files on a Linux machine and copy it to the Windows nodes.

After Enhanced Account Encryption is enabled for an environment:

  • All Accounts are sent to the Groundplex to be decrypted with the old public key and encrypted with the new private key.
  • When you edit an Account, encrypted fields do not display values. However, you can change the value by entering a new one and saving it.
  • Environment settings include the encryption sensitivity level. If you change the encryption sensitivity level to include less fields, existing Accounts remain at the previous level unless updated manually. Changing the sensitivity level to include more fields causes all accounts to be updated.
  • If you revert from Enhanced to Standard Encryption, the encrypted data is not automatically decrypted. As long as the server key files are still on the nodes, the encrypted values continue to work.
  • Accounts that were exported when the Org used the old key have the sensitive fields encrypted with the old key. When an Account is imported into the Org after the key is rotated, it is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.
Important: We recommend that you don't switch an environment that uses EAE back to standard encryption. If you do so, existing OAuth 2.0 accounts will not function; you will need to re-create them.

Steps to configure and enable EAE

To add Enhanced Account Encryption to an environment:

  1. In your network, prepare Snaplex nodes.
  2. Enable and configure EAE in Admin Manager.
Important: To use EAE with AutoSync, be aware of how the two features interact.

After EAE is enabled, you can rotate the key. Running pipelines continue executing while the key is being rotated. Make backup copies of the generated data keystore and password files before rotating keys. Otherwise, if the data keys become corrupted and are unrecoverable, you have to re-enter all sensitive Account field values manually.