Organizations that create pipelines in Designer and run them on self-managed Snaplexes (Groundplexes) can subscribe to Enhanced Encryption and configure it per environment (Org). To use Enhanced Encryption, an environment cannot have a mixture of self-managed Snaplexes and those managed by SnapLogic. Before enabling Enhanced Encryption, work with SnapLogic support to remove Cloudplexes from the Org or convert them to Groudplexes.
With Enhanced Encryption, you create own private keys and do not share them with SnapLogic. The UI encrypts credentials with a public key and the Groundplex decrypts it with a private key. Every Groundplex used in the environment must be configured to use Enhanced Security.
The first time a Snaplex node starts, it generates datakeys files in the /etc/snaplogic directory on a machine where a Snaplex node has been started. The jcc-datakeys.jks file is the keystore and the jcc-datakeys.pass is the password for the keystore. You must manually copy the datakeys files to all Groundplex nodes in your environment.
For TLS connections, the Snaplex also maintains SSL certificates.
These are not used for account encryption, but are also in the /etc/snaplogic directory.
Do not copy them across nodes, they must be unique for each node.
jcc-serverkeys.jks file is the SSL keystore and jcc-serverkeys.pass is the password for the keystore.
Snaplexes configured for Enhanced Encryption can be deployed on Windows or Linux operating systems. To enable Enhanced Encryption for nodes deployed on the Windows OS, you must first generate the datakeys files on a Linux machine and copy it to the Windows nodes.
After Enhanced Encryption is enabled for an Org:
- All Accounts are sent to the Groundplex to be decrypted with the old public key and encrypted with the new private key.
- When you edit an Account, encrypted fields do not display values, as shown below.
However, you can change the value by entering a new one and saving it.
- Environment settings include the encryption sensitivity level. If you change the encryption sensitivity level to include less fields, existing Accounts remain at the previous level unless updated manually. Changing the sensitivity level to include more fields causes all Accounts to be updated.
- If you revert from Enhanced to Standard Encryption, the encrypted data is not automatically decrypted. As long as the server key files are still on the nodes, the encrypted values continue to work.
- Accounts that were exported when the Org used the old key have the sensitive fields encrypted with the old key. When an Account is imported into the Org after the key is rotated, it is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.
Workflow to add Enhanced Encryption to an environment
To add Enhanced Encryption to an environment:
After Enhanced Encryption is enabled, you can rotate the key. Running Pipelines continue executing while the key is being rotated. Make backup copies of the generated data keystore and password files before rotating keys. Otherwise, if the data keys become corrupted and are unrecoverable, you have to re-enter all sensitive Account field values manually.