Encrypt your tenant with Reltio Shield

Learn how to generate your keys after downloading the script files.

After you’ve downloaded and extracted the script, you use them to:

  • Determine whether your tenant is encrypted
  • Create a new KMS key for your tenant
  • Set up key rotation option to rotate keys automatically every year

The script provides Reltio Shield for DynamoDB for Data at Rest encryption, generating a new Amazon Key Management Services (KMS) key for each region of your DynamoDB instance. You can select the key material origin you want to use:

  • AWS_KMS: An Amazon Web Services KMS key. For this material origin, you can set a key rotation option to rotate the key automatically once every year.
  • EXTERNAL: You provide your own key material file, which will be encrypted and imported to the key script generates. You need to have OpenSSL v.3.0 or later installed to use this option.
Tip: The Reltio Shield installation script is written in Python v3.9, so you need to have Python installed to run it.

Before starting the installation, ensure you have this information at hand. You may find it helpful to print this page and record your information in advance for easy reference.

Table 1. Information required for installing Reltio Shield
Particulars Required information Your details
Tenant Configuration
Reltio Tenant Tenant ID  
Tenant URL  
Authorization Server credentials Username  
Password  
Encryption key information
AWS Credentials AWS key identifier  
AWS secret access key  
Key material origin
AWS KMS Automatic key rotation required?  
External Name of the file containing external encryption key details  

To encrypt your tenant using the Reltio Shield installation script:

  1. From a command-line interface (CLI), run this command to install the HTTP libraries: pip install -r requirements.txt
  2. After the libraries are installed, run this command to start the Reltio Shield encryption script:python3 main.py
  3. Follow the prompts and enter the requested information:
    1. Tenant configuration information:
      • Please enter your Environment URL: Enter the URL of the tenant for which you want to enable Reltio Shield.
      • Please enter your Tenant Id: Enter the ID of the tenant for which you want to enable Reltio Shield.
      • Please enter username for the Reltio OAuth server: Enter your Reltio username to sign in to your tenant.
      • Please enter password for the Reltio OAuth server: Enter your Reltio sign in password.
      • Wait for the following success messages to be displayed:

        Operation to get auth token parameters has been successful

        Operation to read tenant parameters has been successful.

        There is no shield for the tenant (tenant name).

    2. Encryption key creation information:
      • Do you want to create new keys?: Enter Yes.
      • Please enter an access key of your AWS account: Enter your AWS account access key.
      • Please enter a secret key of your AWS account: Enter your AWS account secret key.
      • What key material origin you want to use (Enter 1 or 2):
        1. AWS_KMS: The script creates the specified AWS KMS key, sends a request to read all existing key aliases, and sends a request to AWS to create an alias for the new KMS key.
          • Do you want to Automatically rotate this KMS key every year? [Y/N]: Enter Y.
        2. External: The script sends a request to AWS to create a unique customer-managed KMS key in the customer's Amazon Web Services account and region.
          • Please enter the file name contain your key material: Enter the name of the file containing your external key material.
  4. Wait for the following success message to be displayed:

    This key is autogenerated for Tenant shield. Please do not delete.

Reltio Shield updates the key policy for the tenant and encrypts the data. Back in the Reltio Console, the Shield Encryption page indicates that Reltio Shield is enabled and you manage the encryption key.