Account encryption

Enhanced Account encryption

Account data encryption is the process of securing sensitive user information by converting it into a coded format accessible only with the appropriate key or credentials. The SnapLogic Platform enables users to encrypt account data, safeguarding credentials and other confidential information linked to configured accounts for data integration tasks. Sensitive data fields are encrypted within the SnapLogic control plane using the keys generated during node deployment.

Enhanced Account Encryption

Organizations that create pipelines in Designer and run them on self-managed Snaplexes (Groundplexes) can subscribe to Enhanced Account Encryption (EAE) and configure it per environment (Org).

To use Enhanced Account Encryption, an environment cannot have a mixture of self-managed Snaplexes and those managed by SnapLogic. Before enabling EAE, work with SnapLogic CSM to remove Cloudplexes from the environment (Org) or convert them to Groudplexes.

Important: AutoSync can not currently execute in environments configured for Enhanced Account Encryption.

With EAE, you create own private keys and do not share them with SnapLogic. The UI encrypts credentials with a public key and the Groundplex decrypts it with a private key. Every Groundplex used in the environment must be configured to use Enhanced Security.

The first time a Snaplex node starts, it generates datakeys files in the /etc/snaplogic directory on a machine where a Snaplex node has been started. The jcc-datakeys.jks file is the keystore and the jcc-datakeys.pass is the password for the keystore. You must manually copy the datakeys files to all Groundplex nodes in your environment.

For TLS connections, the Snaplex also maintains SSL certificates. These are not used for account encryption, but are also in the /etc/snaplogic directory. Do not copy them across nodes, they must be unique for each node. The jcc-serverkeys.jks file is the SSL keystore and jcc-serverkeys.pass is the password for the keystore.

Snaplexes configured for Enhanced Account Encryption can be deployed on Windows or Linux operating systems. To enable EAE for nodes deployed on the Windows OS, you must first generate the datakeys files on a Linux machine and copy it to the Windows nodes.

After Enhanced Account Encryption is enabled for an Org:

  • All Accounts are sent to the Groundplex to be decrypted with the old public key and encrypted with the new private key.
  • When you edit an Account, encrypted fields do not display values. However, you can change the value by entering a new one and saving it.
  • Environment settings include the encryption sensitivity level. If you change the encryption sensitivity level to include less fields, existing Accounts remain at the previous level unless updated manually. Changing the sensitivity level to include more fields causes all accounts to be updated.
  • If you revert from Enhanced to Standard Encryption, the encrypted data is not automatically decrypted. As long as the server key files are still on the nodes, the encrypted values continue to work.
  • Accounts that were exported when the Org used the old key have the sensitive fields encrypted with the old key. When an Account is imported into the Org after the key is rotated, it is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.
Important: We recommend that you don't switch an environment that uses EAE back to standard encryption. If you do so, existing OAuth 2.0 accounts will not function; you will need to re-create them.

Workflow to add EAE to an environment

To add Enhanced Account Encryption to an environment:

  1. In your network, prepare Snaplex nodes.
  2. Enable and configure EAE in Admin Manager.

After EAE is enabled, you can rotate the key. Running pipelines continue executing while the key is being rotated. Make backup copies of the generated data keystore and password files before rotating keys. Otherwise, if the data keys become corrupted and are unrecoverable, you have to re-enter all sensitive Account field values manually.