Secure data with Enterprise Managed Encryption Keys

As a Splunk Cloud administrator, you can enable the optional Enterprise Managed Encryption Keys (EMEK) capability to secure data for your Splunk Cloud deployment. Learn about inherent EMEK limitations as well as your responsibilities for maintaining the EMEK model.

About Enterprise Managed Encryption Keys

The Splunk platform encrypts customer data both in transit and at rest. To do so, Splunk leverages the Amazon Web Service Key Management Service (AWS KMS) to create and maintain a primary encryption key used to secure data on your Splunk Cloud deployment. KMS is a fully managed service, backed by Federal Information Processing Standards (FIPS)-140 hardware security modules that is also supported on PCI and HIPAA deployments. With this model, Splunk is responsible for the management of the keys, including all creation, rotation, and revocation operations.

Splunk also offers EMEK as an optional capability for encrypting data at rest, which allows you to provide your own primary encryption key. By leveraging this capability, Splunk Cloud administrators can grant and subsequently rotate, revoke, or disable access to your complete data set while maintaining the same degree of real-time data encryption and decryption operations that you get with the managed-service model. EMEK gives you the flexibility of managing the encryption key yourself, which ensures you maintain complete control of your Splunk Cloud deployment.

CAUTION: If you enable EMEK for your deployment, note that you are the sole controller of the master encryption key and, by design, you cannot unlock your data without this key. This means that disabling or deleting the EMEK key will result in permanent loss of data access.

Review EMEK customer responsibilities

Area Customer Responsibilities Splunk Responsibilities
Auditing Keys Use CloudTrail to examine the usage of your key. N/A
Disabling or Deleting Keys Safeguard your key from accidental deletion or disabling actions. If you intend to delete or disable a key, open a Support case first to coordinate with Splunk Cloud. Alert for loss of access privileges and notify the customer's operational contacts if any event occurs.
Key Access Management Prevent tampering or any other unwanted changes to the key policy. Note that the Cloud NOC or Cloud Support is available to immediately resolve Splunk access-related issues. Alert for loss of access privileges and notify the customer's operational contacts if any event occurs.
Key Availability Ensure your key is active and prevent any deletion, disabling, or other operations that would result in lost of access. Detect loss of access to key and any encryption/decryption failures, and notify the customer's operational contacts if any event occurs.
KMS Region Ensure the KMS account for your EMEK is in the same region as your Splunk Cloud deployment. N/A
Support and Escalation Paths Ensure your operational contacts are up to date to allow Splunk to contact you in the event of loss of access to your key. N/A

Review EMEK limitations

EMEK does not support the following features:

  • Non-native KMS keys, such as imported key material or Cloud Hardware Security Module (HSM) keys
  • Asymmetric KMS keys
  • KMS key ID changes

Note: If you need to change EMEK keys, open a Support case. If you have a support contract, file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

Additionally, EMEK is governed by the following:

  • To migrate from one EMEK key to another, you must have encryption at rest enabled
  • When you delete an EMEK key, perform a rolling restart on your Splunk Cloud deployment to purge data that is available in the cache

Provision a Splunk Cloud deployment with an Enterprise Managed Encryption Key

Use the following steps to configure your Splunk Cloud deployment for EMEK:

  1. Request EMEK enablement from your Splunk account representative. Splunk will send you an email requesting confirmation of your participation in EMEK along with an EMEK waiver.
  2. Sign the waiver and return it to Splunk. Splunk processes your waiver and sends you the KMS Policy.
  3. Create a new or update an existing KMS key using the KMS Key Policy provided to you. For more information on creating and updating key policies, see:
  4. Provide Splunk with the Key ID for your Key Policy.

Splunk validates access, region, and key origin to ensure you are compliant with EMEK requirements. Splunk then provisions your environment and notifies you upon completion. Once you receive this notification, your EMEK key is ready for use.

Note: Splunk requires an extended maintenance window to migrate you from a Splunk-managed key to EMEK. During this time, you may experience slightly degraded search operations.