Overview
LinkSquares uses Amazon Web Services (AWS) Key Management Service to manage the encryption of your LinkSquares Analyze account.
If you do not wish for LinkSquares to have access to your data within AWS, this access can be immediately removed (and restored) at any time.
To learn more about AWS Key Management Service, reference this web page on AWS Key Management Service.
To learn more about generating encryption keys within AWS, reference this web page on Creating keys.
Process
Administrators oversee the encryption settings within their Analyze account.
By default, LinkSquares owns the encryption key as the key authority. However, Administrators have the option for their organization to self-manage this encryption key.
To view or modify encryption settings, complete the following steps.
1. To begin, go to Settings from the app selector.
2. Select Analyze App.
3. Go to the Encryption tab.
The Encryption tab enables organizations to determine whether LinkSquares should own the encryption key or if they would like to self-manage and own this key.
LinkSquares owning the key means that the encryption key for data is on file and in our system.
If your organization wishes to self-manage the encryption key, please contact support@linksquares.com to enable self-managed encryption.
Once self-managed encryption is enabled, click the drop-down and change the Key Authority from LinkSquares to Self-Managed.
If this key is disabled or deleted and LinkSquares’ access as key authority gets revoked, LinkSquares will not be able to recover your data.
If you have enabled self-managed encryption keys and would like LinkSquares to own the key going forward, please revert your key authority to LinkSquares before revoking access to the encrypted data.
Self-Managing AWS Encryption Keys
Some customers may prefer to mange their own keys. To do so, follow the below instructions.
Creating Encryption Key in AWS
Start by navigating to your organization’s AWS account.
Go to Key Management Service (KMS) within AWS.
From the Key Management Service page, click Create key in the upper right-hand corner.
From here, ensure the Symmetric and Encrypt and decrypt bubbles are marked.
Expand the Advanced options.
Select the KMS and the Single-Region key bubbles. The latter means the key will be generated within the organization’s region (in this case, us-east-1).
Note: If your data lives within the us-east-1 region, the key must be created within us-east-1 as well. The data and the key must live within the same region.
Click Next once complete.
From here, determine the name for the key within the Alias field. Add an optional description and tags to categorize and identify the key if needed.
Note: These details can be changed at any time.
Click Next once complete.
From here, your organization may want to add administrators and define key usage permissions.
Click Next once complete.
After reviewing the details of the key configuration, click Finish.
A green success banner will appear at the top of the page.
The key will now populate within KMS > Customer managed keys. The key will be labeled via the outlined alias.
Once located, select the newly-created key.
From here, copy the ARN within the General configuration section at the top.
Take the copied ARN and paste it into the Encryption Key ARN field within the Encryption tab.
Note: The drop-down must have Self-Managed selected for this field to populate.
Click CHECK CONNECTION once the ARN has been input.
You will see an AWS Organization ID appear for you to grant access to LinkSquares.
Granting LinkSquares Access
To grant external access to LinkSquares, copy LinkSquares’ AWS Organization ID from the Encryption tab.
Within the key details page in AWS, scroll down and locate the Other AWS accounts section.
Click Add other AWS accounts.
Input LinkSquares’ AWS Organization ID within the open field in the dialog box.
Click Save changes once complete.
This gives LinkSquares permission to access this key.
Within the Encryption tab, click CHECK CONNECTION again.
Click the orange PROCESS ENCRYPTION button that appears.
A progress bar will populate, indicating that agreement encryption is being processed.
Once the encryption is complete, the page will update with the status, quantity of agreements encrypted, when the key was last changed, and which user changed it.
Removing LinkSquares' Access
After providing access, you may wish to remove LinkSquares’ access to the encryption key at some point.
To do this, locate the Other AWS accounts section within the key details page in AWS.
Click Add other AWS accounts.
Next, click Remove within the dialog box.
Click Save changes once complete.
LinkSquares’ access has been removed. The encryption now lives with the key that you generated.
This means that if you were to attempt to access and/or download original agreement files within LinkSquares Analyze, you would be unable to do so.
You would, however, be able to see the plain text versions of agreements.
To re-enable LinkSquares’ access, re-add LinkSquares’ AWS Organization ID to the Other AWS accounts section.
By doing this, agreement data immediately becomes accessible again.
Re-Enabling LinkSquares' Key Ownership
Prerequisites
To re-enable LinkSquares’ ownership of the encryption key, you must ensure that LinkSquares still has permission to access the old self-managed key within AWS.
After doing so, click the drop-down within the Encryption tab and select LinkSquares.
Click PROCESS within the dialog box.
This allows LinkSquares to view the data with your organization's key and change it to a key that LinkSquares creates. From here, the key is swapped out.
Ensure that the old key is not deleted before giving LinkSquares access to the new key. In this case, LinkSquares cannot change the data to the new key.
You will have to create another key following the same process outlined above before they remove our access or delete this key, they need to convert us to the new key.
To do this, update the ARN of the new key within the Encryption tab. Once the process has been finalized and agreements are fully encrypted with the new key, LinkSquares’ access can be removed within AWS.
As long as LinkSquares has access to both keys, LinkSquares can assist in managing the data.