Data protection is an important priority for organizations managing sensitive business information in Archer. As security and compliance expectations evolve, many clients want more control over how encryption keys are managed, governed, and audited. To support this need, Archer is introducing support for Client-Owned AWS KMS keys for Field-Level Encryption. With this capability, clients can use an AWS KMS key from their own AWS account to protect sensitive field data in Archer, including text, numeric, date, IP address, image, and attachment fields. The key remains under the client’s ownership and control.
How It Works
The client creates and manages the AWS KMS key in their own AWS account. Archer uses the client-provided key only for the encryption and decryption operations required for Field-Level Encryption.Clients are responsible for ensuring that the key remains active, correctly configured, and available so Archer can continue to encrypt and decrypt protected field data without interruption.
Availability
Field-Level Encryption with Client-Owned AWS KMS will be available by the end of June. Exact dates will be shared soon.
How to Enable
To enable this capability:
- Enable Field-Level Encryption from Archer Instance Manager.
- Raise a support ticket to receive the required Key Usage Policy.
- Configure the AWS KMS key and key policy in your AWS account.
- Register the AWS KMS Key ARN in Archer.
Configuration Steps
Step 1: Review Archer hosting regions
In Archer, go to Field Encryption > Key Management and review the AWS KMS Setup Guide.
The guide displays the regions used by your Archer environment:
- Primary Region
- Disaster Recovery Region
Client-Owned AWS KMS keys must be configured as multi-Region keys.If Archer has a supported disaster recovery region for your SaaS region, the replica key must be created in that supported Archer disaster recovery region. If Archer does not have a supported disaster recovery region, you may create the replica key in an alternate AWS region to support recovery during a disaster scenario.
Step 2: Create an AWS Multi-Region KMS Key
In your AWS account, create an AWS KMS Multi-Region key using the required configuration. The key type must be Symmetric, and the key usage must be set to Encrypt and decrypt. Multi-Region key must be enabled.The primary key region must be the same as the Archer primary region. If Archer disaster recovery is enabled for the instance, create the replica key in the same region as the Archer disaster recovery region
Step 3: Add the Key Usage Policy in AWS KMS
Before registering the key in Archer, update the AWS KMS key policy to allow the Archer-provided AWS principal to use the key for Field-Level Encryption.
For Archer-supported disaster recovery regions, the same Key Usage Policy can be used for the replica key. For non-supported regions, the key policy will be shared at a later stage.
To receive the required Key Usage Policy, contact Archer Technical Support and provide the following details:
Customer instance name or ID
Instance type: production or non-production
Customer point of contact name, email, and contact details
Contact responsible for configuring the AWS KMS key policy
This is a temporary process. In a future update, the Key Usage Policy will be available directly on the Key Management page for each instance.
Step 4: Register the AWS KMS key in Archer
After the AWS KMS key and key policy are configured:
- Go to Field Encryption > Key Management.
- Select Register AWS KMS Key.
- Review the consent information carefully.
- Select Accept after reviewing the encryption impact.
- Enter the AWS KMS Key ARN.
- Select Register.
Archer validates the key ARN and verifies whether the key can be used for the required encryption operations.
Step 5: Confirm key status
After the key is registered, it appears on the Key Management page.Review the key status to confirm that the key is active.Once the key is active, Archer can use the client-managed AWS KMS key for Field-Level Encryption.
Important Considerations
Before enabling encryption, review the consent information carefully. The consent explains important impacts, including:
- Encrypted fields will not appear in plain text in future backups.
- You are responsible for managing your AWS KMS key.
- If the key is deleted, disabled, revoked, or unavailable, encrypted data may become inaccessible.
- Encryption may affect some platform capabilities, such as search and reporting.
Summary
Client-Owned AWS KMS support gives clients greater control over encryption key management for Archer Field-Level Encryption.This capability helps organizations align Archer encryption with their internal security, compliance, and cloud governance requirements while continuing to protect sensitive field-level data in Archer.
Comments
0 comments
Please sign in to leave a comment.