Advanced Encryption allows your company to encrypt your Service Data using your own enterprise key management system (KMS), ensuring data stored in Zendesk can’t be read in plain text by an external party and is decrypted just in time to enable the Zendesk Services. This feature strengthens your security posture and helps you comply with data protection and privacy obligations. See A preview of Advanced Encryption in Zendesk to learn more about Advanced Encryption and the EAP program.
This article will help you set up Advanced Encryption in your sandbox account by following step-by-step instructions.
The article covers the following topics:
- How to use Advanced Encryption during EAP
- Frequently asked questions
- Known service degradations/disclosures
How to use Advanced Encryption during EAP
Step 1: Contact Zendesk to enable Advanced Encryption
If your EAP participation was confirmed by Zendesk, anytime after the Advanced Encryption EAP launch, log a ticket in Zendesk with the details of your sandbox account in which you’d like to enable Advanced Encryption. This step won’t be needed in the future when we launch the GA release, which will have an Admin Center page for you to enable/disable Advanced Encryption.
Step 2: Add your KMS configuration
Adding your KMS configuration is a 4-step process:
- I - (Prerequisite) Create encryption keys in your KMS
- II - Log in to the Zendesk CMK Configuration Broker
- III - Add your KMS configuration
- IV - Create the KMS configuration assignment
I - (Prerequisite) Create encryption keys in your KMS
This step is one of the prerequisites to using Zendesk Advanced Encryption. In your Zendesk-supported KMS, create your encryption keys by following the KMS-specific instructions.
After creating encryption keys in your KMS, create a backup copy. It's important to back up your encryption keys for your business continuity and disaster recovery. Zendesk will not have access to your KMS and will be unable to assist with any disaster recovery. See the documentation for your KMS for instructions.
II - Log in to the Zendesk CMK Configuration Broker
Follow these steps after Advanced Encryption has been enabled in your sandbox account.
- The Zendesk account owner will receive a welcome email to add their KMS configuration to Zendesk. Click Get Started in the email message.
Alternatively, you can navigate to https://advanced-encryption.zendesk.com/app/login after you’ve received the welcome email.
- Create an account in the Zendesk CMK Configuration Broker. If you landed on the login page first, enter your information and click CREATE ACCOUNT to create an account.
If you manage multiple Zendesk accounts or refresh your sandbox, you will need to provide different email addresses when registering each one. Most email providers support suffixing your email with a tag (e.g., use firstname.lastname@example.org instead of email@example.com). For example, Microsoft and Google use plus addressing to link a primary email to multiple unique email IDs.
- When your account is created, you are prompted to log in. Type your Email and Password, then click LOGIN.
III - Add your KMS configuration
- Under Add Config, select the icon for your KMS.
- Add your access credentials and configure which key to use when encrypting your data. The steps to do this depend on which KMS you are using.
- Click ENCRYPT AND SAVE.
The config displays on the KMS Configurations page. Note the KMS Config ID. You’ll need this ID for the next step.
- Click ENABLE KEY LEASING to enable key leasing for this KMS configuration.
Key leasing is a technique that Zendesk provides to do an extra layer of key wrapping so that the Advanced Encryption Service doesn’t need to make a request to your KMS on every key wrap and unwrap operation. Instead, it leases a key, wrapping it using your KMS, and it uses that key for a period of time to wrap and unwrap the keys that encrypt application data. The key is checked for validity with the KMS every 10 minutes. If it’s no longer valid, it’s destroyed.
Note: By implementing key leasing, your cost of using the KMS is reduced and request latency is lower. This will speed up your application experience.
- Type the Key identifier, then click CONFIRM.
IV - Create the KMS configuration assignment
Next, create the KMS configuration assignment, which allows Zendesk to use the provided KMS configuration to protect the user fields listed above. If you’ve added multiple KMS configurations, you’ll need to create an assignment for each one.
- In the Zendesk CMK Configuration Broker, click KMS Config Assignments in the left pane.
- Click to add a config assignment.
- On the Assign KMS Configuration window, select:
- Organization: Zendesk
- KMS Config ID: The KMS configuration ID that was created as part of the KMS configuration.
- Click SAVE.
Incoming user field traffic will start to be encrypted after you click SAVE.
- Click SET PRIMARY.
The Primary key is used to encrypt the data. You must set one as primary for encryption to work.
- Send us a confirmation that you are “Done” in the same ticket that you used to contact Zendesk to enable Advanced Encryption. This step won’t be needed in the future as we will automate this step in the GA release.
Frequently asked questions
- Can I enable Advanced Encryption in my production account?
No, Advanced Encryption cannot be enabled in production yet. This release primarily aims to receive feedback from customers who will be able to participate in the EAP by enabling Advanced Encryption in sandbox accounts.
- Do I need to pay anything to participate in this EAP?
No, participation in this EAP is absolutely free of cost. When Advanced Encryption is launched in production accounts, Advanced Encryption will likely be part of a paid add-on, which you’ll have to upgrade to. You’ll not be automatically enrolled in the paid add-on.
- Will my old data be encrypted with my encryption keys?
No, in this release, only newly created user records will be encrypted, limited to the fields specified in the EAP scope. Data prior to enabling Advanced Encryption will not be encrypted in this release. Backfill encryption of data will be supported in a future release.
- Can I use an EU-based KMS to manage my encryption keys?
Yes. Zendesk Advanced Encryption supports an out-of-the-box integration with Thales CipherTrust Manager, a Key Management System (KMS) based in Europe and managed and hosted by European companies.
- How do I know whether Advanced Encryption has been enabled in my account?
You will start seeing encryption/decryption requests in the KMS logs.
- Is key rotation/revocation supported in this EAP?
No, key rotation and revocation are not supported in this EAP. These features will be launched in the production release. Please note that if you rotate or revoke the keys in this release, you might lose your encrypted data forever.
You can add a new key which will be used to encrypt newly created data. The old key(s) will continue to be used to encrypt/ decrypt the old data.
- Who do I contact if I need help during the EAP or have feedback?
Post your feedback or questions in the Community topic created for this EAP. Alternatively,
log a ticket in Zendesk, and we’ll get back to you as soon as possible.
Known disclosures and service degradations
- Any functionality outside of the EAP scope, including but not limited to Guide, Messaging, Talk, Explore, Chat, AI/ML, and Mobile, might be broken or show encrypted data in the UI/reports/API responses.
- Side conversations aren't supported in the EAP release.
- Historical data won’t be backfilled when Advanced Encryption is enabled.
- Inability to roll back an account to pre-encryption state after Advanced Encryption is disabled. You would need to refresh your sandbox after disabling Advanced Encryption.
- Encrypted sandbox accounts will become ineligible for account region moves.
Within the EAP scope, the following are the known service degradations:
- Search-related degradation:
- Snippet Highlighting won’t work
- Wildcard Search won’t work
- Phrase Search won’t work
- Search Match Quality might be sub-par
- Search Ranking Quality might be sub-par
- Count and export functionality won’t work
- Customer List Filtering related degradation:
- Any newly created users that will be encrypted with Advanced Encryption will not be returned in the result set when filtering by the “name” attribute.
- Any account that has opted-in to Advanced Encryption will start seeing encrypted strings instead of the name of the users. As a result, this also impacts the MailChimp
Advanced Encryption EAP participants can post questions or comments on the Advanced Encryption Early Access Program (EAP) community page.