Advanced Encryption allows your company to encrypt your Service Data using your own enterprise key management system (KMS), ensuring data stored in Zendesk can’t be read in plain text by an external party and is decrypted just in time to enable the Zendesk Services. This feature strengthens your security posture and helps you comply with data protection and privacy obligations. See Advanced Encryption Overview to learn more about Advanced Encryption and the EAP program.
This article will help you set up Advanced Encryption in your sandbox or production account by following the step-by-step instructions:
- Step 1: Request access to Advanced Encryption
- Step 2: Log in to the Secure Configuration Portal
- Step 3: Configure KMS access keys
- Step 4: Complete the setup in Admin Center
Step 1: Request access to Advanced Encryption
Follow these steps after you've signed up for the EAP and Advanced Encryption has been enabled in your account.
- In Admin Center, go to Account > Security > Advanced encryption.
- Click the Request access button in the lower right.
You will receive a welcome email to add your KMS configuration to Zendesk. - Click Get started in the email message.
Step 2: Log in to the Secure Configuration Portal
- Create an account in the Secure Configuration Broker. If you landed on the login page first, enter your information and click CREATE ACCOUNT to create an account.
If you manage multiple Zendesk accounts or refresh your sandbox, you will need to provide different email addresses when registering each one. Most email providers support suffixing your email with a tag (e.g., use owner+sandbox1@mycompany.com instead of owner@mycompany.com). For example, Microsoft and Google use plus addressing to link a primary email to multiple unique email IDs.
- When your account is created, you are prompted to log in. Type your Email and Password, then click LOGIN.
Step 3: Configure KMS access keys
Adding your KMS configuration is a 3-step process:
- I - (Prerequisite) Create encryption keys in your KMS
- II - Add your KMS configuration
- III - Create the KMS configuration assignment
I - (Prerequisite) Create encryption keys in your KMS
This step is one of the prerequisites to using Zendesk Advanced Encryption. In your Zendesk-supported KMS, create your encryption keys by following the KMS-specific instructions.
After creating encryption keys in your KMS, create a backup copy. It's important to back up your encryption keys for your business continuity and disaster recovery. Zendesk will not have access to your KMS and will be unable to assist with any disaster recovery. See the documentation for your KMS for instructions.
II - Add your KMS configuration
- Under Add Config, select the icon for your KMS.
- Add your access credentials and configure which key to use when encrypting your data. The steps to do this depend on which KMS you are using.
- Click ENCRYPT AND SAVE.
The config displays on the KMS Configurations page. Note the KMS Config ID. You’ll need this ID for the next step.
- Click ENABLE KEY LEASING to enable key leasing for this KMS configuration.
Key leasing is a technique that Zendesk provides to do an extra layer of key wrapping so that the Advanced Encryption Service doesn’t need to make a request to your KMS on every key wrap and unwrap operation. Instead, it leases a key, wrapping it using your KMS, and it uses that key for a period of time to wrap and unwrap the keys that encrypt application data. The key is checked for validity with the KMS every 10 minutes. If it’s no longer valid, it’s destroyed.
Note: By implementing key leasing, your cost of using the KMS is reduced and request latency is lower. This will speed up your application experience.
- Type the Key identifier, then click CONFIRM.
III - Create the KMS configuration assignment
Next, create the KMS configuration assignment, which allows Zendesk to use the provided KMS configuration to protect the user fields listed above. If you’ve added multiple KMS configurations, you’ll need to create an assignment for each one.
- In the Secure Configuration Portal, click KMS Config Assignments in the left pane.
-
Click
to add a config assignment.
-
On the Assign KMS Configuration window, select:
- Organization: Zendesk
-
KMS Config ID: The KMS configuration ID that was created as part of the KMS configuration.
- Click SAVE.
Incoming user field traffic will start to be encrypted after you click SAVE. - Click SET PRIMARY.
The Primary key is used to encrypt the data. You must set one as primary for encryption to work. - Return to Admin Center, and select Account > Security > Advanced encryption.
- Click Next to move from Step 2 to Step 3.
Step 4: Complete the setup in Admin Center
- In Admin Center, go to Account > Security > Advanced encryption.
- Click Next to activate encryption.
- Select each checkbox to confirm that you understand what will happen when you activate Advanced Encryption.
After all checkboxes are selected, the Activate encryption button will become active. - Click Activate encryption.
A progress bar displays the data encryption process status. When complete, the progress bar appears green and an Activated entry displays in the Encryption history log.