By using your own encryption key to encrypt the virtual hard disks (VHD) that contain the Collibra Platform repository, you have full control over the access to the VHD.
Disabling keys
If you suspect that Collibra has been compromised, you can disable the key so that no one can decrypt or even access the VHDs anymore.
We scan AWS or GCP to check if you have disabled your key. If we detect that a key is disabled, our security systems shut down all services in the affected Collibra environment. This ensures that the data is no longer accessible. By re-enabling the key, we can restart your environment.
To disable or enable keys in AWS Key Management Service, go to the AWS documentation. To disable or enable keys in Google Cloud Key Management, go to the GCP documentation.
We do not store your encryption key on our servers. It is your responsibility to manage and protect it. We can only access the VHDs if you give us access to this encryption key. If you delete or lose the key, your data is permanently lost.
Rotating keys with AWS Key Management Service
AWS KMS automatically rotates AWS managed keys every year. You cannot enable or disable key rotation for AWS managed keys.
If a key rotates via the automatic key rotation mechanism, it does not affect your environment, meaning that your environment remains operational. For more information about automatic key rotation, go to the AWS documentation. Keep in mind that an automatic key rotation does not re-encrypt your VHDs.
If you want to re-encrypt VHDs, we have to migrate your data. For this purpose, you have to create a second encryption key. With this second key, we create new encrypted VHDs and migrate your data to these new VHDs. This data migration causes downtime of your Collibra environment. As such, you must provide a maintenance window via your Collibra Account Team.
Important During the re-encryption process, the previous encryption key must remain enabled until the migration is completed.
Note that backups will not be re-encrypted, therefore, we recommend that you disable the previous encryption key rather than deleting it.
Rotating keys with GCP Key Management
With GCP key management, you can configure automatic key rotations, which is a recommended security practice. If a key rotates via the automatic key rotation mechanism, it does not affect your environment, meaning that your environment remains operational. For more information about automatic key rotation, go to the GCP documentation. Keep in mind that an automatic key rotation does not re-encrypt your VHDs.
If you want to re-encrypt VHDs in GCP, we have to decrypt your VHDs with the current encryption key and re-encrypt them with the new key. For this purpose, you have to create a second encryption key, so that we can complete this action. Keep in mind that the re-encryption causes downtime of your Collibra environment. As such, you must provide a maintenance window via your Collibra Account Team.
Important During the re-encryption process, the previous encryption key must remain enabled until the re-encryption is completed.
Note that backups will not be re-encrypted, therefore, we recommend that you disable the previous encryption key rather than deleting it.