Create an encryption key and enable BYOK

This section explains the steps to create the encryption key in AWS or GCP, to encrypt the virtual hard disks that will contain the Collibra Platform repository.

Amazon Web Services (AWS)
Google Cloud Platform (GCP)

Sign in to your AWS Console and go to the Key Management Service.
Note You must be in the same region as your Collibra Platform environment.
Generate an encryption key with the following specifications:
Encryption key specification Value
Key type Symmetric
Key usage Encrypt and decrypt
For more details on creating encryption keys, go to the AWS documentation.
These keys are protected by FIPS 140-2 validated cryptographic modules (hardware security modules).
Contact your Collibra Account Team to enable BYOK on your Collibra environment and provide the following information:
- The list of environments on which you want to enable BYOK.
- The Amazon Resource Names (ARN) address of the created encryption key. You can find the ARN in the General Configuration section of your key.
Your CSM then provides you with our Collibra AWS account ID.
In the KMS key settings, add the Collibra AWS account ID.
Provide a maintenance window in which we can enable BYOK on the selected environments.
During this maintenance window, we enable BYOK by using the ARN of your encryption key.

Encryption key specification	Value
Key type	Symmetric
Key usage	Encrypt and decrypt

Sign in to your Google Cloud console and go to the Key Management section.
Create a new key ring

Note You must be in the same region as your Collibra Platform environment. If you choose to create a multi-region key, make sure that Collibra's region is included.

In this key ring, create a new key with the following specifications:

Encryption key specification	Value
Purpose	Symmetric encrypt/decrypt
Duration of 'scheduled for destruction' state	We recommend at least 90 days. We recommend that you choose to disable the key rather than deleting it. Deleting the key is permanent and cannot be undone. For more information about the destruction state of keys, go to the GCP key destroy and restore documentation.

Encryption key specification

Value

Purpose

Symmetric encrypt/decrypt

Duration of 'scheduled for destruction' state

We recommend at least 90 days.

We recommend that you choose to disable the key rather than deleting it. Deleting the key is permanent and cannot be undone. For more information about the destruction state of keys, go to the GCP key destroy and restore documentation.

For more details on creating encryption key rings, go to the GCP documentation.

Image of created encryption key in GCP Key Management

Contact your Collibra Account Team to enable BYOK on your Collibra environment and provide the following information:
- The list of environments on which you want to enable BYOK.
- The ID of the symmetric encryption key. To find the ID of the key, go to the GCP Key Management documentation.
  The ID must be in the following format:
```
projects/${my-gcp-project}/locations/${my-location}/keyRings/${my-key-ring-name}/cryptoKeys/${my-key-name}
```
Your CSM will deliver you two GCP principals and their required permissions.
In the permission settings of the encryption key, add the principals with the provided permissions.
Provide a maintenance window in which we can enable BYOK on the selected environments.
During this maintenance window, Collibra enables BYOK by using the ID of your encryption key.