Enable Zuora Protect platform encryption for your organization
To enable your organization's Zuora Protect Platform Encryption feature, contact Zuora Support at support@zuora.com. Our team will help you set up the feature. Once your account is ready, you can create the encryption keys and encrypt data.
Prerequisites
We recommend you familiarize yourself with the Zuora objects and fields that support BYOK encryption.
Support Fields for BYOK Encryption
Zuora field-level encryption lets you encrypt sensitive data on the standard fields. You can encrypt certain fields on standard objects with some exceptions. Encrypted fields work normally across the Zuora UI, business processes, and APIs.
Zuora Object | Field |
---|---|
Contact |
Address1 |
Address2 |
|
Fax |
|
FirstName |
|
HomePhone |
|
LastName |
|
MobilePhone |
|
OtherPhone |
|
PersonalEmail |
|
WorkEmail |
|
WorkPhone |
|
Contact Snapshot |
Address1 |
Address2 |
|
Fax |
|
FirstName |
|
HomePhone |
|
LastName |
|
MobilePhone |
|
OtherPhone |
|
PersonalEmail |
|
WorkEmail |
|
WorkPhone |
|
Account |
AdditionalEmailAddresses |
NotificationHistoryCallout |
RequestUrl |
RequestPayload |
|
TaxableItemSnapshot |
DestAddressLine1 |
DestAddressLine2 |
When you encrypt a field:
- Only new values added through the UI post-enabling encryption will be encrypted.
- Existing values will not be encrypted.
To encrypt your existing data after enabling field encryption, please reach out to the Zuora support team at support@zuora.com.
Zuora Key Management System
Zuora Key Management System supports both types of encryption keys that are either created and managed in the Zuora UI or by bringing your own key (BYOK) to Zuora to encrypt your data. For BYOK keys, you can currently import your keys only from your AWS Key Management System.
Complete the following steps to start creating your own keys:
- Onboard to Zuora OneID. For more information, see Activate OneID for your organization.
- You must have a Zuora OneID Administrator role to be able to generate and manage the encryption keys from the Zuora UI. For more information, see Users in OneID.
- In OneID, navigate to Admin console > Encryption Key Management in the left-hand navigation section.
Create a new encryption key within Zuora Managed Keys or Integrate with your existing external Key Store (AWS KMS) with Zuora. After creating the Encryption Key in OneID, assign the keys to the Zuora tenants for the data encryption.
Create a new Zuora Managed Key
Zuora uses the AWS Key Management Services (AWS KMS) to manage the storage of your encryption keys. Instead of managing the encryption keys at your end with a separate infrastructure, we provide a secure option that is built on top of AWS to create and manage your encryption keys.
- In OneID, navigate to Admin console > Encryption Key Management in the left-hand navigation section
- On the Zuora keys page, click Create New Key.
- Add a Key Name and enable the auto rotation toggle. The automatic key rotation option helps in automatic key rotation (creating new keys) every year.
- Click Save.
Bring Your Own Keys
You can connect with your external AWS key store and import keys from your key store to encrypt your data.
Follow the steps mentioned below to connect with an external key store:
- In OneID, navigate to Admin console > Encryption Key Management in the left-hand navigation section.
- On the External Key Store page, click Connect External Key Store.
- Add the following values to integrate your external AWS Key Store with Zuora:
- Key Store Name
- Region
- Access Key ID
- Key Secret
- Click Save.
Once the connection has been established, your external store will be listed in the External Key Store section.
To import your encryption keys from your external key store:
- Navigate to the key store details page and click Connect.
- Enter the KMS Key ID and Key Name.
- Click Save.
All the imported keys will be listed under the corresponding Key Store in Zuora.
With Zuora Protect platform encryption, you can only encrypt standard fields on standard objects. We recommend you encrypt the least number of fields possible, for best results.
Assign keys to your Zuora tenants
After creating your encryption keys or importing your keys from your external KMS into Zuora, can you assign them to your Zuora tenants to enable data encryption.
The following steps explain how you can assign keys to your Zuora tenants:
- In OneID, navigate to Admin console > Encryption Key Management in the left-hand navigation section.
- On the Key Assignment page, click the Edit action against the Zuora tenant for which you want to encrypt the data.
You can choose an encryption key from the list of created and imported keys to assign to the Zuora Tenant.