Managing Secret Keys
The InCountry Portal lets you create secret keys that are used for data encryption by InCountry REST API. You need to generate new secret keys for security purposes when you are extensively writing data records to InCountry Platform.
Besides using the secret keys provisioned by InCountry, you can register your own keys. Please check our Bring Your Own Key (BYOK) documentation for requirements for key generation.
You can register you plain or AWS KMS keys. All keys must be a Base64 encoded AES-256 key.
note
This section becomes visible only once you have set up at least one integration.
On the sidebar, select Secret Keys Management. The Secret Keys Management page opens, as follows:
Here on the page, you can select a specific environment and country which secret keys you want to view.
For each secret key, you can find the following information:
Name - name of the key.
Created - date and time when a secret key was created.
Created by - email of the user who generated a secret key.
Deprecated - date and time when a secret key was deprecated.
Generating a new InCountry secret key
On the Secret Keys Management page, select the environment and country which you want to generate a new secret key for.
In the Generate new secret key form, select Use InCountry Key Management.
Click Generate New Secret Key.
In the Generate new secret key form, enter the secret key name.
Click Generate.
Enter the confirmation code and click Confirm.
A new secret key appears on the list and it will be written automatically to the configuration of InCountry REST API.
note
Please consider the following when generate a new secret key:
A newly generated secret key will be used for encryption of data records in InCountry Platform.
The prior secret keys will be preserved for decryption of older data records to maintain the compatibility.
You can generate up to three secret keys for each environment and for each country per day.
Generating a new plain secret key
On the Secret Keys Management page, select the environment and country which you want to generate a new secret key for.
In the Generate new secret key form, select Use Manual Key Management.
In the Generate new secret key form, specify the following information:
Secret key type - select Plain from the list.
Secret key name - enter the name of the secret key.
Plain encryption key - enter your encryption key (Base-64 encoded AES-256 key).
When complete, click Generate.
Enter the confirmation code and click Confirm.
A new secret key appears on the list. Please contact the InCountry team to register this secret key in the configuration of your REST API.
Generating a new AWS KMS secret key
On the Secret Keys Management page, select the environment and country which you want to generate a new secret key for.
In the Generate new secret key form, select Use Manual Key Management.
In the Generate new secret key form, specify the following information:
Secret key type - select AWS from the list.
Secret Key name - enter the name of the secret key.
Region - specify the AWS region which is used for AWS KMS.
Encrypted key - enter the encrypted key.
Customer managed key (CMK) ARN - enter the customer manager key you created in AWS.
IAM access key ID - enter the access key ID.
IAM secret key - enter the IAM secret key.
When complete, click Generate.
Enter the confirmation code and click Confirm.
A new secret key appears on the list. Please contact the InCountry team to register this secret key in the configuration of your REST API.