Bring Your Own Key Release Notes

Bring Your Own Key (BYOK) is now available. This enables designated Encryption Administrators to encrypt model data using your organization's encryption keys. For more information, see Bring Your Own Key in Anapedia.

Note: Bring Your Own Key is an additional product that your organization can purchase if it has the Enterprise edition.

Best practices

This section contains some best practices to follow when using BYOK.

Development Practices
  1. Identify or create a workspace that does not contain any essential model data.
  2. Encrypt the workspace to practice using BYOK. 

After successfully encrypting the workspace:

  1. Run the tests on models in the workspace that you want.
  2. Follow the same procedure to encrypt your production workspace.
  3. If required, decrypt the development workspace.
Ensure Workspaces are not in use

Workspaces can't be encrypted when they are active. Ensure that your users are no longer using any models in the workspace before starting encryption. Do not start encryption until the workspace state is "Ready".


Encrypting before loading data

The first encryption is known as encryption in place. This is an offline event. To reduce the amount of time for this encryption, we recommend encrypting a workspace when it is first created or before significant data is loaded. Data added to models within the workspace after encryption is automatically encrypted. This is known as encryption on the fly. It's likely that this is sensitive data and it is more secure to load it after the workspace is encrypted.

Identify users for key roles
  • Identify users to be assigned the Encryption Admins role as early as possible.
  • Identify users to be assigned the Tenant Auditor role.
Encryption Admin role

To maintain separation of duties, Encryption Admins should not have access to any model data.

  • Ensure that Encryption Admins are added as members of at least one workspace with a model permission of "no access".
  • Let your account representative know the email addresses of the Encryption Admins when you first order BYOK.
  • Ideally, assign more than one person to the Encryption Admin role.
  • Encryption Admin users can assign other users in their tenant the Encryption Admin role or remove it using the Access Control feature of the Administration app.

    Note: Only a limited set of users are eligible to be assigned the Encryption Admin role. Only users who were submitted to Anaplan as potential Encryption Admins appear in the Access Control section of the Administration app. If any users are missing, add them to the workspace in your tenant with the role 'No Access' then contact Anaplan Support and request that those users are added to the list of eligible Encryption Admins.

Tenant Auditor role

The Tenant Auditor role can access the BYOK audit logs. You might want to specify different users to the ones assigned the Encryption Admin role, but that’s your choice. Your Tenant Administrator can assign users to this role. Tenant Auditors need to be a user in at least one Anaplan workspace, ideally with a model permission of "no access".


When the "BYOK" status changes following a successful encryption or decryption action in a workspace, wait two minutes before running another operation on that workspace. This enables trailing processes to complete and helps to prevent unexpected errors.


As an Encryption Admin, you can use the Reassign Key button on the Encrypted Workspaces page to easily apply key rotation on your workspaces.

BYOK now has audit logging. You can use the Audit Service API to:

  • Retrieve up to 30 days of logs.
  • Get the BYOK history for your tenant.
  • Get the BYOK history for your tenant for specific dates that you specify.
  • Get information about who carried out an action in BYOK, when it was done, and what was done.

For more information, see Administration: Security - Audit in Anapedia.

Issues Resolved
Issue Description
As an Encryption Administrator, you can now assign or remove the Encryption Admin role.
Known Issues and Workarounds
When generating a key using the required values, but without waiting before entering values, key generation fails with the "Invalid Key Name" message.Wait a few seconds before entering data on the Generate New Encryption Key popup.
When editing an encryption key, the Key Alias field is disabled and cannot be changed.
The content in this article has not been evaluated for all Anaplan implementations and may not be recommended for your specific situation.
Please consult your internal administrators prior to applying any of the ideas or steps in this article.
Labels (2)
0 Kudos