Customers can further protect sensitive data by encrypting particular fields during the Integrate.io ETL transformation process using their AWS Key Management Service (KMS) to securely store and manage the encryption keys. Integrate.io ETL calls the customer’s KMS for a data key as needed, and then uses this data key to generate the encrypted message (containing the ciphertext and the encrypted data key).
Symmetric Key Envelope Encryption
Reference: How the AWS Encryption SDK Works.
Create an AWS KMS Customer-Managed Encryption Key
Create a KMS customer master key for Integrate.io ETL encryption and decryption following this AWS guide
Add Integrate.io ETL’s AWS Account to the Customer Managed Key
b. Specify Integrate.io ETL’s AWS account number:
099517174445 in the KMS Key Administrators page. This gives Integrate.io ETL permission to call your KMS for this customer-managed key’s data key. The KMS key policy can give further fine-grain control of Integrate.io ETL’s permissions, as an example, Integrate.io ETL might be given permission to encrypt data but never decrypt data (by removing
“kms:Decrypt” from the key policy actions).
c. Store your key’s ARN from the KMS customer-managed keys page as this will be needed later when calling Integrate.io ETL’s Encrypt and Decrypt functions.
Integrate.io ETL Encrypt Function
Configure a package in Integrate.io ETL and add a “Select” component. This will allow you to use Encrypt/Decrypt functions in your package.
Encrypt example with a custom encryption context
Encrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ', TOMAP('MyKey', 'MySecret'))
Encrypt example without a custom encryption context (not recommended)
Integrate.io ETL Decrypt Function
Decrypt function works in the same way through an Integrate.io ETL Select component in a package.
Decrypt example with a custom encryption context
Decrypt(Name, 'arn:aws:kms:us-east-1:099517174445:key/ABCDEFGHIJ', TOMAP('MyKey', 'MySecret'))
Decrypt example without a custom encryption context