Encrypt your tenant with Reltio Shield
Learn how to generate your keys after downloading the script files.
After you’ve downloaded and extracted the script, you use them to:
- Determine whether your tenant is encrypted
- Create a new KMS key for your tenant
- Set up key rotation option to rotate keys automatically every year
The script provides Reltio Shield for DynamoDB for Data at Rest encryption, generating a new Amazon Key Management Services (KMS) key for each region of your DynamoDB instance. You can select the key material origin you want to use:
- AWS_KMS: An Amazon Web Services KMS key. For this material origin, you can set a key rotation option to rotate the key automatically once every year.
- EXTERNAL: You provide your own key material file, which will be encrypted and imported to the key script generates. You need to have OpenSSL v.3.0 or later installed to use this option.
Before starting the installation, ensure you have this information at hand. You may find it helpful to print this page and record your information in advance for easy reference.
| Particulars | Required information | Your details |
|---|---|---|
| Tenant Configuration | ||
| Reltio Tenant | Tenant ID | |
| Tenant URL | ||
| Authorization Server credentials | Username | |
| Password | ||
| Encryption key information | ||
| AWS Credentials | AWS key identifier | |
| AWS secret access key | ||
| Key material origin | ||
| AWS KMS | Automatic key rotation required? | |
| External | Name of the file containing external encryption key details | |
To encrypt your tenant using the Reltio Shield installation script:
- From a command-line interface (CLI), run this command to install the HTTP libraries:
pip install -r requirements.txt - After the libraries are installed, run this command to start the Reltio Shield encryption script:
python3 main.py - Follow the prompts and enter the requested information:
- Tenant configuration information:
- Please enter your Environment URL: Enter the URL of the tenant for which you want to enable Reltio Shield.
- Please enter your Tenant Id: Enter the ID of the tenant for which you want to enable Reltio Shield.
- Please enter username for the Reltio OAuth server: Enter your Reltio username to sign in to your tenant.
- Please enter password for the Reltio OAuth server: Enter your Reltio sign in password.
- Wait for the following success messages to be displayed:
Operation to get auth token parameters has been successful
Operation to read tenant parameters has been successful.
There is no shield for the tenant (tenant name).
- Encryption key creation information:
- Do you want to create new keys?: Enter Yes.
- Please enter an access key of your AWS account: Enter your AWS account access key.
- Please enter a secret key of your AWS account: Enter your AWS account secret key.
- What key material origin you want to use (Enter 1 or 2):
- AWS_KMS: The script creates the specified AWS KMS
key, sends a request to read all existing key aliases, and
sends a request to AWS to create an alias for the new KMS
key.
- Do you want to Automatically rotate this KMS key every year? [Y/N]: Enter Y.
- External: The script sends a request to AWS to create
a unique customer-managed KMS key in the customer's Amazon
Web Services account and region.
- Please enter the file name contain your key material: Enter the name of the file containing your external key material.
- AWS_KMS: The script creates the specified AWS KMS
key, sends a request to read all existing key aliases, and
sends a request to AWS to create an alias for the new KMS
key.
- Tenant configuration information:
- Wait for the following success message to be displayed:
This key is autogenerated for Tenant shield. Please do not delete.
Reltio Shield updates the key policy for the tenant and encrypts the data. Back in the Reltio Console, the Shield Encryption page indicates that Reltio Shield is enabled and you manage the encryption key.