Encrypt and Decrypt Sensitive Data

Customers can further protect sensitive data by encrypting particular fields during the Xplenty transformation process using their AWS Key Management Service (KMS) to securely store and manage the encryption keys. Xplenty calls the customer’s KMS for a data key as needed, and then uses this data key to generate the encrypted message (containing the ciphertext and the encrypted data key).

Symmetric Key Envelope Encryption

Reference: How the AWS Encryption SDK Works.

Create an AWS KMS Customer-Managed Encryption Key

Create a KMS customer master key for Xplenty encryption and decryption following this AWS guide.

Add Xplenty’s AWS Account to the Customer Managed Key

a. Add Xplenty’s AWS account by pressing “Add other AWS accounts”, as below

b. Specify Xplenty’s AWS account number: 099517174445 in the KMS Key Administrators page. This gives Xplenty permission to call your KMS for this customer-managed key’s data key. The KMS key policy can give further fine-grain control of Xplenty’s permissions, as an example, Xplenty might be given permission to encrypt data but never decrypt data (by removing “kms:Decrypt” from the key policy actions).

c. Store your key’s ARN from the KMS customer-managed keys page as this will be needed later when calling Xplenty’s Encrypt and Decrypt functions.

Xplenty Encrypt Function


Configure a package in Xplenty and add a “Select” component. This will allow you to use Encrypt/Decrypt functions in your package.

Encrypt example with a custom encryption context

Encrypt example without a custom encryption context (not recommended)

Xplenty Decrypt Function

Decrypt function works in the same way through an Xplenty Select component in a package.

Decrypt example with a custom encryption context

Decrypt example without a custom encryption context

Note: Encrypt and Decrypt are premium Xplenty functions, please contact your Xplenty Account Manager or email hello@xplenty.com to enable these features on your account.