Bring Your Own Key (BYOK) is a security feature that allows organizations to use their own encryption keys to protect their data. This ensures that they maintain control over their encryption keys and, consequently, their data.
BYOK is only available for Enterprise-level support accounts.
BYOK setup
For versions earlier than v100.39.0, BYOK setup requires Illumina Support.
For versions v100.39.0 and later, you can complete the setup from .
Supported Key Management Services
Illumina integrates with leading Key Management Services (KMS), including Azure Key Vault and AWS KMS, so organizations can maintain full control over their encryption keys. These integrations combine Illumina’s Bring Your Own Key (BYOK) feature with your preferred KMS provider to deliver robust key management and enhanced data security.
Azure Key Vault
is a cloud service that provides a secure way to store and manage sensitive information like API keys, passwords, and certificates. It offers robust features for key management, including key generation, storage, and lifecycle management.
AWS KMS
(KMS) allows you to create and control encryption keys used to encrypt your data across a wide range of AWS services and applications. It provides centralized management of encryption keys and integrates seamlessly with other AWS services.
Risk of losing a key
Losing the encryption key means that all data encrypted with that key will be inaccessible. This can lead to permanent loss of access to crucial information.
Setup
Azure Key Vault Setup
The API server encrypts the organization's information before storing it in the database and decrypts it when needed (e.g., during pipeline execution). The key vault is managed by the organization.
To configure encryption in Emedgene, you need the following information from Azure Key Vault:
Application tokens:
Client Id
Tenant Id
Client Secret
The key information:
Key URL
Create a new application
1
Navigate to App registrations
2
Click Register to create a new application and and fill in the required details
3
Add a client secret
1
In the left menu, select Certificates & Secrets
2
Click New client secret. Copy and save the Value (Client Secret) immediately, as it is shown only once.
Create a new key
1
Click New Key (Create key vault)
2
Specify the key vault name, region (for example, East US), and pricing tier
3
Find key details
1
Navigate to the newly created Key vault
2
In the left menu, select Keys, and then select the key
The API server will encrypt the client's information before storing it in a database and decrypt that information when needed (e.g., running the pipeline). The key vault is managed by the client, and Emedgene will only be provided with access to encrypt/decrypt functions in that key vault. This guarantees that clients control access to the information.
Illustration of data flow when creating a case in Emedgene platform:
Illustration of data flow when reading a case data from emedgene platform:
A preliminary step to this solution is having a key vault owned by the client, and a key that Emedgene is given access to.
The client will create an access policy in the key vault of type “Application” and provide the matching key and secret to Emedgene. The access policy must contain permissions to perform encrypt and decrypt actions.
In order for Emedgene to integrate with the key, depending on the key vault provider, the client needs to provide the following information:
Client Id
Client Secret
Tenant Id
Key vault name
Searching Encrypted Fields
Since some of our platform search capabilities run directly on the DB, we can’t directly search any data that is encrypted. To overcome this, we will implement a hashing search functionality as follows.
The case data will still be fully encrypted in the DB as it is today
Specific fields we want to make “searchable” - as defined by the customer, we will save their hash value alongside the encrypted data.
Hashing will be done using SHA-256, and will include a secure random generated salt of 32 characters, which will be added to the value.
Illustration of data flow when searching in Emedgene platform:
Illustration of data flow when creating a case with searchable field in Emedgene platform:
Appendix
Appendix: Control flows text
Write:
Read
Write Searchable
Read Searchable
It is crucial to securely store and manage your keys to prevent such risks.
After registration, copy and save the
Application (Client) ID
and
Directory (Tenant) ID
Please note the expiration date. If the secret expires, encryption will fail.
Click
Next
to go to
Access Policies
4
Select Add access policy, and set Key permissions:
Client->Emedgene API: Add New Test Request
note right of Emedgene API: Process Request
Emedgene API->Key Vault: PHI
note right of Key Vault: Encrypt
Key Vault->Emedgene API: Encrypted PHI
Emedgene API->Emedgene DB: Store Encrypted PHI
Client->Emedgene API: Get Test Request
emedgene DB->Emedgene API: Encrypted PHI
Emedgene API->Key Vault: Encrypted PHI
note right of Key Vault: Decrypt
Key Vault->Emedgene API: Decrypted PHI
Emedgene API->Client: Decrypted PHI
Client->Emedgene API: Add New Test Request
note right of Emedgene API: Process Request
Emedgene API->Key Vault: PHI
note right of Key Vault: Encrypt
Key Vault->Emedgene API: Encrypted PHI
Emedgene API-> Emedgene DB: Get Salt
Emedgene API-> Emedgene API: Hash Value using Salt
Emedgene API->Emedgene DB: Store Encrypted PHI + Hashed value
Client->Emedgene API: Search string
Emedgene API->AWS Secrets: Get Salt
Emedgene API-> Emedgene API: Hash string using Salt
Emedgene API->Emedgene DB: Search hashed string
Emedgene DB->Emedgene API: Search results
Emedgene API->Client: Search results
