Skip to main content
Feedback

Boomi Key Management Service

Boomi's Key Management Service (KMS) allows you to encrypt environment extension-based secrets with a generated key to improve the security of your sensitive data. This key is managed by a Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS.

After you mark an encrypted field (such as a password field) as extensible and save a value, the Boomi Enterprise Platform encrypts the value with a wrapped data key managed by Boomi's KMS. The key can only be viewed when the runtime needs to decrypt it. The decrypted value is sent to the runtime without being stored on the Boomi Enterprise Platform. After the runtime accesses the stored value, Boomi's KMS immediately re-encrypts the value with a new data key, which it then uses to encrypt the extensions variable. This new key is unique to the runtime and is not accessible by the platform.

The Boomi-hosted Vault instance is moving from HashiCorp to AWS for encrypting environment extension secrets. All accounts currently using the Boomi-hosted HashiCorp Vault instance will have to migrate to the Boomi-hosted AWS KMS. Any accounts planning to enroll in the Key Management Service should use the Boomi-hosted AWS KMS.

Vault-based encryption remains supported for backward compatibility, but the Boomi-hosted HashiCorp Vault option will be phased out over time. To setup or switch to the AWS KMS account feature, refer to the Enable or switch to Boomi-hosted AWS KMS section below.

Bring Your Own Vault

The Bring Your Own Vault (BYOV) feature is an optional capability you can use in addition to a Boomi-hosted Vault. Both Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS account users can utilize the BYOV feature.

To use the Bring Your Own Vault feature, you will have to set up a separate HashiCorp Vault account. Refer to the Comparison table in the Boomi KMS vs. Bring Your Own Vault section to learn more about each vault type.

Boomi KMSt vs. Bring Your Own Vault

You have to use a Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS to use Boomi's KMS. The Bring Your Own Vault feature is an optional addition to the Boomi KMS.

In BYOV (Bring Your Own Vault) mode, secrets are re-encrypted on the customer container by the customer’s own HashiCorp Vault. Bring Your Own Vault mode only supports HashiCorp vaults.

In both cases, the encryption in transit is handled by the Boomi-hosted vault. Refer to the comparison chart for more information.

Comparison

Boomi KMSBring Your Own Vault (Optional)
ConfigurationBoth the Boomi-hosted HashiCorp Vault and the Boomi-hosted AWS KMS are fully managed by Boomi. No additional setup is required once the KMS feature is activated.The vault supporting KMS on the transit side is fully managed by Boomi, but the container side vault is fully managed by the customer. Additional configuration and setup is required to enable this feature.
Container TypesSupported by Boomi's full suite of runtime offerings: Basic runtimes, runtime clusters and Clouds.Supported by customer-hosted and runtime clusters. Not available for Clouds.
EncryptionEncryption in transit and encryption at rest are both managed by the Boomi-hosted vault and data keys that it generates.Encryption in transit is managed by the Boomi-hosted vault. Encryption at rest is managed by the customer's vault and data keys that it generates.
Wrapped data key supportNot supported.Encryption at rest can be configured to use HashiCorp's wrapped data key feature. This ensures that the container always authenticates its access to the customer's vault before decrypting secrets.

Enable or switch to Boomi-hosted AWS KMS

  • New Users: Contact your Boomi account representative to activate the Boomi-hosted AWS KMS for your account.

  • Current HashiCorp Vault users: Have your Boomi account representative turn off that feature before enabling the Boomi-hosted AWS KMS.

  • Current Bring Your Own Vault (BYOV) users: Contact your Boomi account representative to activate the Boomi-hosted AWS KMS for your account. BYOV and the Boomi-hosted AWS KMS can both be active on the same account.

Configuring Bring your own Vault mode

By default, KMS uses a Boomi-hosted HashiCorp Vault or a Boomi-hosted AWS KMS for the platform and the runtime. You can configure your runtime to use your own HashiCorp vault on the Runtime Management settings page.

On your HashiCorp vault instance

  1. Enable HashiCorp Vault's transit secret's engine.

  2. Generate a transit encryption key on your vault instance with the following name pattern: accountID_containerID.

    • accountID is your Platform account ID.
    • containerID is an ID for the specific runtime container being configured.
  3. Enable the token authentication method.

  4. Create the following policy. The referenced transit key is generated in step 2.

    Java
    {
    "path" : {
    "transit/datakey/+/accountID_containerID" : {
    "capabilities" : [ "update" ]
    },
    "auth/token/lookup-self" : {
    "capabilities" : [ "read" ]
    },
    "auth/token/renew-self" : {
    "capabilities" : [ "update" ]
    }
    }
    }
  5. Create an authentication token with the policy that you created in step 4 attached.

On the Boomi Enterprise Platform

info

Key Management Service must be enabled on your account before you can configure a vault on a runtime. Contact your account administrator to add it to your account.

  1. In Runtime Management (Manage > Runtime Management), select the runtime for which you want to add your own vault.

  2. Under Settings & Configuration, select Key Management Service.

  3. Turn on the toggle for Bring Your Own Vault.

  4. Upload a properties file for your vault by clicking Choose a File and navigating to the location of the file. The file should be formatted similarly to the following example:

spring:
cloud:
vault:
uri: ${VAULT_URI}
namespace: ${VAULT_NAMESPACE}
authentication: token
token: ${AUTH_TOKEN}
session:
lifecycle:
enabled: true
expiry-threshold: 20s
refresh-before-expiry: 10s

  • token - The authentication token generated in step 5 of the vault setup process.
  • namespace - (Optional) The namespace can be set to root / or /admin.
  • uri - The URL to the HashiCorp Vault being used as the BYOV server.
  1. (Optional) Select the Wrapped Encryption Key checkbox to require the runtime to generate and use an encrypted data key.

  2. Click Save.

KMS settings page in the Boomi Enterprise Platform

Security Diagrams

Runtime Installation/KMS Activation with Boomi-hosted HashiCorp vault Boomi-hosted HashiCorp Vault

Runtime Installation/KMS Activation with Boomi-hosted AWS KMS Boomi-hosted AWS KMS Vault

Runtime Installation/KMS Activation with the BYOV feature Int Kms Byov

Saving an Environment Extension (this process is the same for both the Boomi-hosted and BYOV vaults )

Img Envr Extensions

Limitations

Boomi's KMS currently has the following limitations:

  • Boomi's KMS only encrypts environment extensions for connector properties with encrypted values. These fields are displayed in the UI as <Encrypted>
  • If KMS is disabled and then re-enabled, in most cases you must re-enter the values for the environment extension-based secrets.
On this Page