Data Encryption
When you send documents to the index API or file upload API, Vectara indexes both the document text and metadata. If you choose the “textless” option (Scale users) for corpus creation, Vectara converts the document text into vectors for indexing but does not store the text anywhere in the platform. However, metadata is always stored.
For the safety of your data, Vectara always stores your text and metadata in an encrypted format. By default this encryption uses Vectara's own encryption key to encrypt your data (text and/or metadata).
For Scale accounts Vectara also allows you to use your own AWS KMS encryption key so that you have full control over how your data is encrypted. If you would like to do so, follow the instructions below.
If you use your own key and at some point disable your AWS KMS key, there is no way to encrypt or decrypt your data so your corpus will not be queryable by anyone until you enable the key back.
You can disable and enable your KMS key to resume service but you should be very careful when removing your AWS KMS key as this is a permanently destructive action. If you remove the AWS KMS key entirely, neither you nor Vectara will be able to recover that encryption key, which also means any Vectara corpora depending on that key will be inaccessible forever.
Create your AWS KMS key
KMS keys are only available to Scale plan accounts. If you need help with setting up your customer-managed key, reach out to support.
To create an AWS KMS key:
- Go to KMS on the AWS Console
- Select Customer Managed Keys
- Select Create key.
- Set Key Type to "Symmetric" and Key Usage to “Encrypt and decrypt”.
- In the Advanced options:
- Ensure that "KMS" is selected for the Key material origin.
- For the regionality:
- Both “Single-Region key” and “Multi-Region key” are ok if the key
is created in the
us-west-2
region. - If the key is not created in
us-west-2
, it needs to be created as a "Multi-Region key." Then, after creating the key, go to the Regionality tab and create a replica key inus-west-2
by clicking Create new replica keys.
- Both “Single-Region key” and “Multi-Region key” are ok if the key
is created in the
- Eventually, the created key’s ARN should start with
arn:aws:kms:us-west-2
- On the “Define key usage permissions” step of the key creation wizard, you
should see the “Other AWS Accounts” section at the bottom. Enter
941566284283
as the AWS ID (this is Vectara's production AWS account ID). You are giving permission to Vectara to use your key to encrypt and decrypt your indexed documents. - On the last “Review” step, update the following section and
update the ARN from
arn:aws:iam::941566284283:root
toarn:aws:iam::941566284283:role/prod-eks2021021409582096910000000b
The key should look like the following:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::941566284283:role/prod-eks2021021409582096910000000b"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
The final step to creating the AWS KMS key to finish the key creation.
Attach your AWS KMS key to your account
In order to get Vectara to use your key, you must
contact Vectara Support. Send us the ARN for the KMS key
you created (starting with arn:aws:kms:us-west-2
).
The Vectara team will set up the configuration for you. In the future, you will be able to set the ARN on the Vectara Console and these instructions will be updated.
How the encryption key works
Once your AWS KMS key is configured in the platform, when encrypting your
document text or metadata, Vectara connects to your KMS
service to generate an encryption key. The encryption key provided by the KMS
is stored in-memory and used to encrypt and decrypt your data. The in-memory
key expires every hour. In turn, every hour Vectara
asks your AWS KMS to generate that encryption key again.