ALTR offers the capability for you to control the encryption keys used for tokenization through the use of your own AWS Key Management Service (AWS KMS) encryption keys. This capability enables you to maintain control over your tokenized data, reserving the right to revoke ALTR’s access to your token vault.
ALTR uses encryption to protect your data in our SaaS token vault. A different unique key is used for each ALTR organization (tenant) protected by an ALTR-owned AWS KMS key. Organizations using BYOK elect to replace the ALTR-owned AWS KMS key with a client-owned AWS KMS key.
While ALTR has access to the key that you've supplied, it is able to provide tokenization operations. If you revoke access to your key, then ALTR will no longer be able to encrypt or decrypt your token vault. To maintain performance of tokenization operations, ALTR caches certain decrypts for up to 60 minutes.
To use BYOK in tokenization, you must share AWS KMS keys with ALTR. To do this, you will need to follow the steps below.
The screenshots below provide a visual explanation of how to prepare the encryption keys.
For more information about configuring AWS KMS policies, refer to the AWS KMS documentation.
Question: What happens if an organization revokes ALTR’s access to the AWS KMS key?
Answer: ALTR will no longer be able to access the organization’s tokenized data. Any call to ALTR’s tokenization API for that organization will return an error.
Question: How long does it take for ALTR to lose access to an organization’s token vault once key access is revoked?
Answer: It can take up to 60 minutes for cached information to expire, at which point ALTR will lose access to decrypt an organization’s token vault. After a key is revoked, read and write behavior will fail intermittently until all caches expire.
Multiple AWS KMS Keys
Question: Can an organization use multiple AWS KMS keys?
Answer: ALTR only supports one AWS KMS key per ALTR organization.
Question: Does ALTR support key rotation for client-supplied keys?
Answer: Yes. However, this requires additional action from ALTR at the time the key is rotated. For more information on client-supplied key rotation, please email email@example.com