Connect
Types of customer-specific encryption keys
When managing your own encryption keys, Connected uses the following set of keys to secure your data:
-
Master key. Site-specific encryption key that is the root of the Connected encryption hierarchy.
The master key is customer-managed and stored in a tamper-resistant hardware security module (HSM) compliant with the Key Management Interoperability Protocol (KMIP). To ensure data security, Connected does not have access to this key so it cannot decrypt your data on its servers.
CAUTION: Connected does not store your master key. Therefore, if it becomes lost, corrupt, or otherwise inaccessible, the system cannot decrypt your stored data.
-
Customer key. Customer-level encryption key encrypted by your master key and stored by Connected with your company information.
For detailed information about the creation of this type of key, see Creation of the customer encryption key.
-
User key. User-specific encryption key that is encrypted by your customer key and stored by Connected with the user's profile information. Each user has a unique key.
For detailed information about the creation of this type of key, see Creation of a user encryption key.
-
User Workspace key. Encryption key for a particular category of a user's data. For backup data, Connected uses a distinct workspace key for each of a user's protected devices. Connected stores workspace keys with the user's profile information.
The workspace key is encrypted by the user key, which itself is encrypted by your customer key. Furthermore, the customer key is encrypted by your master key, which Connected cannot access. Therefore, your data remains stored securely because the system does not have access to the workspace key to decrypt data on its servers.
For detailed information about the creation of user workspace keys, see Creation of a user workspace encryption key.
For information about the process of encrypting or decrypting user data with these keys, see How Connected uses customer-managed encryption keys.