Bring your own key encryption (BYOK) - Beta

In Board, data is always encrypted and keys are managed automatically without the need for customer intervention. With the Bring your own key encryption (BYOK) feature, Developers can autonomously manage data encryption within Board in a quick and easy way, preventing potential malicious uses and security/confidentiality breaches. This feature provides enhanced security for data using industry standard strong AES-256 encryption with a random generated cipher, making it unreadable outside of the current Board Platform unless and until it is decrypted. Encrypted content includes Entity members and data stored in Cubes.

When you first enable encryption on your Data model, you must enter a password: when the encryption process is over, the data is masked but it will still be readable in the Platform where you first enabled encryption. The password you entered is required to decrypt the Data model and to unmask data after moving the encrypted Data model between Platforms.

Be sure to write down your password and keep it in a safe place: if you lose it, the Data model can no longer be unlocked and all data it contains will be unrecoverable, not even by Board employees.

The Bring your own key encryption feature is released as a beta version: it contains most of the major features and has gone through internal testing, but it might still have bugs that can only be found under real usage conditions. It can also receive minor changes and hotfixes before moving to the final release stage.
The Bring your own key encryption is only available to cloud customers and is disabled by default. To enable it, please raise a ticket through the Board Support Portal: the ticket must contain your Platform name (e.g. customer1-s1.board.com). The Board Cloud Operations team will then handle your request.

 

Enabling Encryption

To enable encryption, proceed as follows:

  1. Access the desired Data model and go to the "Summary" section
  2. Click on the toggle next to "Bring your own key encryption (BYOK)"
  3. Set a password, click on "ENABLE ENCRYPTION" and on "YES, START ENCRYPTING" in the confirmation pop-up

    That password will be required to disable encryption and to unmask data when an encrypted Data model is imported to a Platform other than the one where encryption was first enabled.
    Be sure to write down your password and keep it in a safe place: if you lose it, the Data model can no longer be unlocked and the data it contains will be unrecoverable, not even by Board employees.

  4. The encryption process begins.
  5. When the process is finished, the toggle will be displayed as ON with a light blue background, meaning that data is encrypted.

    During the encryption process, the Data model is automatically put into Maintenance mode.
    Depending on the Data model size, the encryption process may take some time: you can monitor its progress from the "Running tasks" page under "System Administration" (in a separate browser tab).

     

Disabling Encryption

  1. To disable encryption, proceed as follows:

  2. Access the desired Data model and go to the "Summary" section
  3. Click on the toggle next to "Bring your own key encryption (BYOK)"
  4. Enter the required password, and click on "DISABLE ENCRYPTION"

    The password is the one you have set when encryption was first enabled or the last you saved. Read the "Changing your password" paragraph for more details.

  5. The decryption process begins.
  6. When the process is finished, the toggle will be displayed as OFF with a grey background, meaning that data is unencrypted.

During the decryption process, the Data model is automatically put into Maintenance mode.
Depending on the Data model size, the decryption process may take some time: you can monitor its progress from the "Running tasks" page under "System Administration" (in a separate browser tab).

 

 

Importing an encrypted Data model

When an encrypted Data model is imported in a new Platform, the data it contains is masked (i.e. Screen Objects associated with that Data model will display incomprehensible and meaningless data). To use the Data model in Screens and other Board resources, you must first unmask the data it contains.

To do so, proceed as follows:

  1. Access the imported Data model and go to the "Summary" section. In the "Summary" section homepage you will see a warning message informing you that encryption is enabled and data are currently masked
  2. Click on "UNMASK DATA" and enter the password you set encryption was first enabled (i.e. in the original Platform)
  3. The unmasking process begins. When the process is finished, the encryption toggle will be displayed as ON with a light blue background, meaning that data are encrypted but they can be used in the current Platform, as they will be displayed as normal readable values

No new data should be added to an encrypted Data model whose data has not been unmasked: if you do so, the Data model can no longer be unlocked and the data it contains will be unrecoverable. Be sure to unmask data as described above, before adding new ones.

 

Changing the encryption password

After enabling encryption, you can change the password used to decrypt/unmask data at any time. Simply click on the "CHANGE PASSWORD" blue button, enter the current password and the new password twice to confirm, then click on "CHANGE PASSWORD".

The new password will be required to decrypt the Data model and to unmask data after moving the encrypted Data model between Platforms. It will also be saved in any backup copy of the Data model that will be created thereafter. See next paragraph for more details.

 

Backing up and restoring encrypted Data models

Board's backup function creates a snapshot of the entire Data model and that includes the encryption status and the password used to decrypt/unmask data.

Depending on the Data model encryption status when you create or restore a backup copy of it, the following scenarios can occur:

  • If you backup an unencrypted Data model and then enable encryption, restoring that very backup copy will also restore the Data mode to its previous unencrypted state
  • If you backup an encrypted Data model and then disable encryption, restoring that very backup copy will also restore the Data mode to its previous encrypted state. The  password set when the backup copy was created will be required to disable encryption again
  • If you restore a backup copy of an encrypted Data model, you also restore the password set when the backup copy was created. If the password is different from the current one, you will have to unmask the data as described in the "Importing an encrypted Data model" paragraph using the password set when the backup copy was created