Boomi Key Management Service
Boomi's Key Management Service (KMS) allows you to encrypt environment extension-based secrets with a generated key to improve the security of your sensitive data. This key is managed by a Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS.
After you mark an encrypted field (such as a password field) as extensible and save a value, the Boomi Enterprise Platform encrypts the value with a wrapped data key managed by Boomi's KMS. The key can only be viewed when the runtime needs to decrypt it. The decrypted value is sent to the runtime without being stored on the Boomi Enterprise Platform. After the runtime accesses the stored value, Boomi's KMS immediately re-encrypts the value with a new data key, which it then uses to encrypt the extensions variable. This new key is unique to the runtime and is not accessible by the platform.
The Boomi-hosted Vault instance is moving from HashiCorp to AWS for encrypting environment extension secrets. All accounts currently using the Boomi-hosted HashiCorp Vault instance will have to migrate to the Boomi-hosted AWS KMS. Any accounts planning to enroll in the Key Management Service should use the Boomi-hosted AWS KMS.
Vault-based encryption remains supported for backward compatibility, but the Boomi-hosted HashiCorp Vault option will be phased out over time. To setup or switch to the AWS KMS account feature, refer to the Enable or switch to Boomi-hosted AWS KMS section below.
Bring Your Own Vault
The Bring Your Own Vault (BYOV) feature is an optional capability you can use in addition to a Boomi-hosted Vault. Both Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS account users can utilize the BYOV feature.
To use the Bring Your Own Vault feature, you will have to set up a separate HashiCorp Vault account. Refer to the Comparison table in the Boomi KMS vs. Bring Your Own Vault section to learn more about each vault type.
Boomi KMSt vs. Bring Your Own Vault
You have to use a Boomi-hosted HashiCorp Vault or Boomi-hosted AWS KMS to use Boomi's KMS. The Bring Your Own Vault feature is an optional addition to the Boomi KMS.
In BYOV (Bring Your Own Vault) mode, secrets are re-encrypted on the customer container by the customer’s own HashiCorp Vault. Bring Your Own Vault mode only supports HashiCorp vaults.
In both cases, the encryption in transit is handled by the Boomi-hosted vault. Refer to the comparison chart for more information.
Comparison
| Boomi KMS | Bring Your Own Vault (Optional) | |
|---|---|---|
| Configuration | Both the Boomi-hosted HashiCorp Vault and the Boomi-hosted AWS KMS are fully managed by Boomi. No additional setup is required once the KMS feature is activated. | The vault supporting KMS on the transit side is fully managed by Boomi, but the container side vault is fully managed by the customer. Additional configuration and setup is required to enable this feature. |
| Container Types | Supported by Boomi's full suite of runtime offerings: Basic runtimes, runtime clusters and Clouds. | Supported by customer-hosted and runtime clusters. Not available for Clouds. |
| Encryption | Encryption in transit and encryption at rest are both managed by the Boomi-hosted vault and data keys that it generates. | Encryption in transit is managed by the Boomi-hosted vault. Encryption at rest is managed by the customer's vault and data keys that it generates. |
| Wrapped data key support | Not supported. | Encryption at rest can be configured to use HashiCorp's wrapped data key feature. This ensures that the container always authenticates its access to the customer's vault before decrypting secrets. |
Enable or switch to Boomi-hosted AWS KMS
-
New Users: Contact your Boomi account representative to activate the Boomi-hosted AWS KMS for your account.
-
Current HashiCorp Vault users: Have your Boomi account representative turn off that feature before enabling the Boomi-hosted AWS KMS.
-
Current Bring Your Own Vault (BYOV) users: Contact your Boomi account representative to activate the Boomi-hosted AWS KMS for your account. BYOV and the Boomi-hosted AWS KMS can both be active on the same account.
Configuring Bring your own Vault mode
By default, KMS uses a Boomi-hosted HashiCorp Vault or a Boomi-hosted AWS KMS for the platform and the runtime. You can configure your runtime to use your own HashiCorp vault on the Runtime Management settings page.
On your HashiCorp vault instance
-
Enable HashiCorp Vault's transit secret's engine.
-
Generate a transit encryption key on your vault instance with the following name pattern:
accountID_containerID.accountIDis your Platform account ID.containerIDis an ID for the specific runtime container being configured.
-
Enable the token authentication method.
-
Create the following policy. The referenced transit key is generated in step 2.
Java
{
"path" : {
"transit/datakey/+/accountID_containerID" : {
"capabilities" : [ "update" ]
},
"auth/token/lookup-self" : {
"capabilities" : [ "read" ]
},
"auth/token/renew-self" : {
"capabilities" : [ "update" ]
}
}
} -
Create an authentication token with the policy that you created in step 4 attached.
On the Boomi Enterprise Platform
Key Management Service must be enabled on your account before you can configure a vault on a runtime. Contact your account administrator to add it to your account.
-
In Runtime Management (Manage > Runtime Management), select the runtime for which you want to add your own vault.
-
Under Settings & Configuration, select Key Management Service.
-
Turn on the toggle for Bring Your Own Vault.
-
Upload a properties file for your vault by clicking Choose a File and navigating to the location of the file. The file should be formatted similarly to the following example:
spring:
cloud:
vault:
uri: ${VAULT_URI}
namespace: ${VAULT_NAMESPACE}
authentication: token
token: ${AUTH_TOKEN}
session:
lifecycle:
enabled: true
expiry-threshold: 20s
refresh-before-expiry: 10s
token- The authentication token generated in step 5 of the vault setup process.namespace- (Optional) The namespace can be set to root/or/admin.uri- The URL to the HashiCorp Vault being used as the BYOV server.
-
(Optional) Select the Wrapped Encryption Key checkbox to require the runtime to generate and use an encrypted data key.
-
Click Save.

Security Diagrams
Runtime Installation/KMS Activation with Boomi-hosted HashiCorp vault

Runtime Installation/KMS Activation with Boomi-hosted AWS KMS

Runtime Installation/KMS Activation with the BYOV feature

Saving an Environment Extension (this process is the same for both the Boomi-hosted and BYOV vaults )

Limitations
Boomi's KMS currently has the following limitations:
- Boomi's KMS only encrypts environment extensions for connector properties with encrypted values. These fields are displayed in the UI as
<Encrypted> - If KMS is disabled and then re-enabled, in most cases you must re-enter the values for the environment extension-based secrets.