Advanced Encryption allows your company to encrypt your Service Data using your own enterprise key management system (KMS), ensuring data stored in Zendesk can’t be read in plain text by an external party and is decrypted just in time to enable Zendesk services. This feature strengthens your security posture and helps you comply with data protection and privacy obligations. See Advanced Encryption Overview to learn more.
This article will help you set up Advanced Encryption in your sandbox or production account by following the step-by-step instructions:
Step 1: Request access to Advanced Encryption
Follow these steps after you've signed up for the EAP and Advanced Encryption has been enabled in your account.
- In Admin Center, click Account in the sidebar, then select Security > Advanced encryption.
- Click the Request access button in the lower right.
You will receive a welcome email with instructions on how to add your KMS configuration to Zendesk.
- Click Get started in the email message.
Step 2: Log in to the Secure Configuration Portal
You need to create an account before you can log in to the Secure Configuration Portal.
- Create an account in the Secure Configuration Portal. If you land on the login
page first, enter your information and click CREATE ACCOUNT to create an
account.If you manage multiple accounts, including sandboxes, choose a descriptive company name and domain to uniquely identify the account.
- For Company Name, enter your Zendesk subdomain
- For Company Domain, enter
yoursubdomain.zendesk.com
, where yoursubdomain is your Zendesk subdomain.
- When your account is created, you are prompted to log in. Type your Email and Password, then click LOGIN.
Step 3: Configure KMS access keys
Adding your KMS configuration is a 3-step process:
I - (Prerequisite) Create encryption keys in your KMS
This step is a prerequisite for using Advanced Encryption. In your Zendesk-supported KMS, create your encryption keys by following the KMS-specific instructions.
After creating encryption keys in your KMS, make a backup copy. It's important to back up your encryption keys for business continuity and disaster recovery. Zendesk won't have access to your KMS and cannot assist with disaster recovery. See the documentation for your KMS for instructions.
II - Add your KMS configuration
- Under Add Config, select the icon for your KMS.
- Add your access credentials and configure which key to use when encrypting your data. The steps to do this depend on which KMS you are using.
- Click ENCRYPT AND SAVE.
The configuration is displayed on the KMS Configurations page. Note the KMS Config ID. You’ll need this ID for the next step.
- Click ENABLE KEY LEASING to enable key leasing for this KMS
configuration.
Key leasing is a technique that Zendesk provides to do an extra layer of key wrapping so that the Advanced Encryption Service doesn’t need to make a request to your KMS on every key wrap and unwrap operation. Instead, it leases a key, wrapping it using your KMS, and it uses that key for a period of time to wrap and unwrap the keys that encrypt application data. The key is checked for validity with the KMS every 10 minutes. If the key is no longer valid, it’s destroyed.
Note: Implementing key leasing reduces the cost of using the KMS and request latency, speeding up your application experience. - Type the key identifier, then click CONFIRM.
III - Create the KMS configuration assignment
Next, create the KMS configuration assignment, which allows Zendesk to use the provided KMS configuration to protect the user fields listed above. If you’ve added multiple KMS configurations, you must create an assignment for each one.
- In the Secure Configuration Portal, click KMS Config Assignments in the left pane.
- Click the plus icon () to add a config assignment.
- On the Assign KMS Configuration page, enter:
- Organization: Zendesk
- KMS Config ID: The KMS configuration ID that was created as part of
the KMS configuration.
Step 4: Complete the setup in Admin Center
- In Admin Center, click Account in the sidebar, then select Security > Advanced encryption.
- Click Next to activate encryption.
- Select each checkbox to confirm you understand what will happen when you
activate Advanced Encryption.
After all checkboxes are selected, the Activate encryption button becomes active.
- Click Activate encryption.
A progress bar displays the status of the data encryption process. The progress bar appears green when complete, and an Activated entry appears in the encryption history log.