Getting Started with ALTR & Snowflake
Configure ALTR's Snowflake Service User
Connect Snowflake Databases
Connect Columns to ALTR
Creating Policy & Manage Data
Classification
Analytics
Column Access Policies
Views
Thresholds
Row Access Policy
Audit Logs
Settings
Tokenization
Tag-Based Data Masking
Tokenization API
Management API
ALTR Driver JDBC Installation
ALTR Driver ODBC Installation
Configure Tableau to Gain User Level Observability
Integrating ALTR Notifications with AWS S3
TDS Proxy Installation
CDM Installation
Custom Masking and Extensibility Functions
Bring Your Own Key for Tokenization
Open-Source Integrations
ALTR offers the capability for you to control the encryption keys used for tokenization through the use of your own AWS Key Management Service (AWS KMS) encryption keys. This capability enables you to maintain control over your tokenized data, reserving the right to revoke ALTR’s access to your token vault.
ALTR uses encryption to protect your data in our SaaS token vault. A different unique key is used for each ALTR organization (tenant) protected by an ALTR-owned AWS KMS key. Organizations using BYOK elect to replace the ALTR-owned AWS KMS key with a client-owned AWS KMS key.
While ALTR has access to the key that you've supplied, it is able to provide tokenization operations. If you revoke access to your key, then ALTR will no longer be able to encrypt or decrypt your token vault. To maintain performance of tokenization operations, ALTR caches certain decrypts for up to 60 minutes.
To use BYOK in tokenization, you must share AWS KMS keys with ALTR. To do this, you will need to follow the steps below.
The screenshots below provide a visual explanation of how to prepare the encryption keys.
For more information about configuring AWS KMS policies, refer to the AWS KMS documentation.
Revoked Access
Question: What happens if an organization revokes ALTR’s access to the AWS KMS key?
Answer: ALTR will no longer be able to access the organization’s tokenized data. Any call to ALTR’s tokenization API for that organization will return an error.
Question: How long does it take for ALTR to lose access to an organization’s token vault once key access is revoked?
Answer: It can take up to 60 minutes for cached information to expire, at which point ALTR will lose access to decrypt an organization’s token vault. After a key is revoked, read and write behavior will fail intermittently until all caches expire.
Multiple AWS KMS Keys
Question: Can an organization use multiple AWS KMS keys?
Answer: ALTR only supports one AWS KMS key per ALTR organization.
Key Rotation
Question: Does ALTR support key rotation for client-supplied keys?
Answer: Yes. However, this requires additional action from ALTR at the time the key is rotated. For more information on client-supplied key rotation, please email support@altr.com