Bring Your Own Key
Last updated
Was this helpful?
Last updated
Was this helpful?
Bring Your Own Key (BYOK) is a security feature that allows clients to use their own encryption keys to protect their data. This ensures that clients maintain control over their encryption keys and, consequently, their data. Only Enterprise level support accounts can access this feature, and it requires assistance from Illumina support for setup.
Illumina supports integration with popular Key Management Services (KMS) such as Azure Key Vault and AWS KMS for managing your encryption keys. This integration allows clients to use their existing key management solutions for generating, storing, and managing their keys securely.
Azure Key Vault
is a cloud service that provides a secure way to store and manage sensitive information like API keys, passwords, and certificates. It offers robust features for key management, including key generation, storage, and lifecycle management.
AWS KMS
(KMS) allows you to create and control encryption keys used to encrypt your data across a wide range of AWS services and applications. It provides centralized management of encryption keys and integrates seamlessly with other AWS services.
These integrations ensure robust key management capabilities and enhance the security of your data through a combination of Illumina's BYOK feature and your preferred KMS provider.
Losing the encryption key means that all data encrypted with that key will be inaccessible. This can lead to permanent loss of access to crucial information. It is imperative that clients securely store and manage their keys to prevent such risks.
Emedgene’s API server will encrypt the client’s information before storing in Emedgene’s database and decrypt that information when needed (e.g. running the pipeline). The key vault is managed by the customer. The customer needs to provide the following information.
Please see below instructions on how to get or create it
Application Tokens:
Client Id
Client Secret
Tenant Id
The key information:
Key URL
Navigate to App registration
Register a new application, click “Register”
When you created the app, please copy Application (client) ID and Directory (tenant) ID
Go to Certificates and secrets (in the left menu)
Press “New client secret” and provide the “Value”
Press New Key (Create key vault)
Specify key vault name, region (ie. East US) and pricing tier
Click “Next” to Access Policies
Press “Add access policy” and set Key permissions:
Key Management Operations: -
Cryptographic Operations: Decrypt, Encrypt, Unwrap Key, Wrap Key
Then set Secret permissions:
Secret Permission: Get
Select principal: select the application you created before (in Create a new Application step)
Finish with “Review + create”
Navigate to the newly created Key vault
Select keys on the left side, select the key
Select the current version and copy “Key Identifier” https://<key-vault-name>.vault.azure.net/keys/<key-name>/<key-version>\
Description is coming soon.
Emedgene’s API server will encrypt the client’s information before storing in Emedgene’s database and decrypt that information when needed (e.g. running the pipeline). The key vault is managed by the client, and Emedgene will only be provided with access to encrypt/decrypt functions in that key vault. This guarantees that the clients controls access to the information.
Illustration of data flow when creating a case in Emedgene platform:
Illustration of data flow when reading a case data from Emedgene platform:
A preliminary step to this solution is having a key vault owned by the client, and a key that Emedgene is given access to.
The client will create an access policy in the key vault of type “Application” and provide the matching key and secret to Emedgene. The access policy must contain permissions to perform encrypt and decrypt actions.
In order for Emedgene to integrate with the key, depending on the key vault provider, the client needs to provide the following information:
Client Id
Client Secret
Tenant Id
Key vault name
Key name
Since some of our platform search capabilities run directly on the DB, we can’t directly search any data that is encrypted. To overcome this, we will implement a hashing search functionality as follows.
The case data will still be fully encrypted in the DB as it is today
Specific fields we want to make “searchable” - as defined by the customer, we will save their hash value alongside the encrypted data.
Hashing will be done using SHA-256, and will include a secure random generated salt of 32 characters, which will be added to the value.
The salt is unique and will not be used anywhere else in the platform.
When the user enters a string to search, we will hash that value using all the salt values, and search those hash values.
Illustration of data flow when searching in Emedgene platform:
Illustration of data flow when creating a case with searchable field in Emedgene platform:
\
