Encrypt and Decrypt Sensitive Data

Customers can further protect sensitive data by encrypting particular fields during the Integrate.io ETL transformation process using their AWS Key Management Service (KMS) to securely store and manage the encryption keys. Integrate.io ETL calls the customer’s KMS for a data key as needed, and then uses this data key to generate the encrypted message (containing the ciphertext and the encrypted data key).

Symmetric Key Envelope Encryption

Reference: How the AWS Encryption SDK Works.

Create an AWS KMS Customer-Managed Encryption Key

Create a KMS customer master key for Integrate.io ETL encryption and decryption following this AWS guide.

Add Integrate.io ETL’s AWS Account to the Customer Managed Key

a. Add Integrate.io ETL’s AWS account by pressing “Add other AWS accounts”, as below

b. Specify Integrate.io ETL’s AWS account number: 099517174445 in the KMS Key Administrators page. This gives Integrate.io ETL permission to call your KMS for this customer-managed key’s data key. The KMS key policy can give further fine-grain control of Integrate.io ETL’s permissions, as an example, Integrate.io ETL might be given permission to encrypt data but never decrypt data (by removing “kms:Decrypt” from the key policy actions).

c. Store your key’s ARN from the KMS customer-managed keys page as this will be needed later when calling Integrate.io ETL’s Encrypt and Decrypt functions.

Integrate.io ETL Encrypt Function

Configure a package in Integrate.io ETL and add a “Select” component. This will allow you to use Encrypt/Decrypt functions in your package.

Encrypt example with a custom encryption context

Encrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ', TOMAP('MyKey', 'MySecret'))


Encrypt example without a custom encryption context (not recommended)

Encrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ')

Integrate.io ETL Decrypt Function

Decrypt function works in the same way through an Integrate.io ETL Select component in a package.

Decrypt example with a custom encryption context

Decrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ', TOMAP('MyKey', 'MySecret'))


Decrypt example without a custom encryption context

Decrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ')
 
 
Note: Encrypt and Decrypt are premium Integrate.io ETL functions, please contact your Integrate.io ETL Account Manager or email hello@integrate.io ETL.com to enable these features on your account.