Skip to main content

Set up customer managed keys Private preview

You can set up customer managed keys to protect secrets stored in Atlan (for example, connection credentials). CMK is available in private preview for AWS-hosted tenants.

Prerequisites

Before you begin, make sure you have:

  • Admin permissions in Atlan.
  • An AWS-hosted Atlan tenant. CMK doesn't work for Azure-hosted or GCP-hosted tenants.
  • A planned maintenance window for activation or rotation (Atlan support coordinates the migration).

Upload your key

  1. Generate a 256-bit (32-byte) symmetric key and store it securely. You can generate this locally on a secured machine, using an HSM-backed process, or through internal key generation tooling.

    Generate the key using a method approved by your security team (for example, a hardened workstation, an HSM-backed workflow, or an internal key generation process). Don't use an asymmetric key (RSA or ECC) or a passphrase.

    Example: Generate a 32-byte key with OpenSSL

    openssl rand -out atlan-cmk.key 32

    Example: Generate a 32-byte key with Python

    import secrets

    with open("atlan-cmk.key", "wb") as f:
        f.write(secrets.token_bytes(32))
    info

    Losing this key can permanently block access to secrets protected by the vault. Store backups in a secure, redundant location approved by your security team.

  2. In your Atlan workspace, open Admin center, and then click Authentication. Scroll to the Keys section at the bottom of the page.

    If you don't see the customer managed keys section, raise a support request to request private preview access.

  3. In the customer managed keys section, upload your key. Atlan validates the key before accepting it.

  4. After you upload your key, raise a support request to activate CMK. Include your tenant name, confirmation that the CMK is uploaded in Authentication, and your preferred maintenance window.

  5. After Atlan completes the migration, you receive a confirmation from Atlan.

    To verify that the CMK is active, go to Authentication and confirm that the CMK status shows Active in the Customer managed keys section.

    If you want to rotate or update your CMK, generate a new 256-bit symmetric key and store it securely, upload the new key from the Authentication page, and raise a support request to schedule the key rotation.

Remove customer managed keys

To revert to Atlan-managed keys, raise a support request. Atlan support coordinates the migration back to platform-managed encryption.

Need help?

For setup, activation, rotation, or removal, contact Atlan support.

See also