Illumina Connected Software

Bring Your Own Key

Bring your own key is only available for Enterprise level support accounts and require Illumina support for setup

Scope

Bring Your Own Key (BYOK) is a security feature that allows clients to use their own encryption keys to protect their data. This ensures that clients maintain control over their encryption keys and, consequently, their data. Only Enterprise level support accounts can access this feature, and it requires assistance from Illumina support for setup.

Supported Key Management Services

Illumina supports integration with popular Key Management Services (KMS) such as Azure Key Vault and AWS KMS for managing your encryption keys. This integration allows clients to use their existing key management solutions for generating, storing, and managing their keys securely.

Azure Key Vault

Azure Key Vault is a cloud service that provides a secure way to store and manage sensitive information like API keys, passwords, and certificates. It offers robust features for key management, including key generation, storage, and lifecycle management.

AWS KMS

AWS Key Management Service (KMS) allows you to create and control encryption keys used to encrypt your data across a wide range of AWS services and applications. It provides centralized management of encryption keys and integrates seamlessly with other AWS services.

These integrations ensure robust key management capabilities and enhance the security of your data through a combination of Illumina's BYOK feature and your preferred KMS provider.

Risk of Losing a Key

Losing the encryption key means that all data encrypted with that key will be inaccessible. This can lead to permanent loss of access to crucial information. It is imperative that clients securely store and manage their keys to prevent such risks.

Setup

Azure Key Vault Setup

The API server will encrypt the client's information before storing it in a database and decrypt that information when needed (e.g., running the pipeline). The key vault is managed by the customer. The customer needs to provide the following information.

Please see below instructions on how to get or create it

Application Tokens:

  • Client Id

  • Client Secret

  • Tenant Id

The key information:

  • Key URL

Create a new Application

  1. Navigate to App registration

  2. Register a new application, click “Register”

  3. When you created the app, please copy Application (client) ID and Directory (tenant) ID

  4. Go to Certificates and secrets (in the left menu)

  5. Press “New client secret” and provide the “Value”

Please note the expiration date of the secret, as once expired it will impair our system.

Create a new Key

  1. Press New Key (Create key vault)

  2. Specify key vault name, region (ie. East US) and pricing tier

  3. Click “Next” to Access Policies

  4. Press “Add access policy” and set Key permissions:

    1. Key Management Operations: -

    2. Cryptographic Operations: Decrypt, Encrypt, Unwrap Key, Wrap Key

  5. Then set Secret permissions:

    1. Secret Permission: Get

    2. Select principal: select the application you created before (in Create a new Application step)

  6. Finish with “Review + create”

Find key details

  1. Navigate to the newly created Key vault

  2. Select keys on the left side, select the key

  3. Select the current version and copy “Key Identifier” https://<key-vault-name>.vault.azure.net/keys/<key-name>/<key-version>\

AWS Key Management Service (KMS) Setup

Description is coming soon.

Please reach out to [email protected] to get help with this setup.

Architecture

The API server will encrypt the client's information before storing it in a database and decrypt that information when needed (e.g., running the pipeline). The key vault is managed by the client, and Emedgene will only be provided with access to encrypt/decrypt functions in that key vault. This guarantees that the clients controls access to the information.

Illustration of data flow when creating a case in Emedgene platform:

Drawing
Creating a case in emedgene platform

Illustration of data flow when reading a case data from emedgene platform:

Drawing
Reading a case data from emedgene platform

A preliminary step to this solution is having a key vault owned by the client, and a key that Emedgene is given access to.

The client will create an access policy in the key vault of type “Application” and provide the matching key and secret to Emedgene. The access policy must contain permissions to perform encrypt and decrypt actions.

In order for Emedgene to integrate with the key, depending on the key vault provider, the client needs to provide the following information:

  • Client Id

  • Client Secret

  • Tenant Id

  • Key vault name

  • Key name

Searching Encrypted Fields

Since some of our platform search capabilities run directly on the DB, we can’t directly search any data that is encrypted. To overcome this, we will implement a hashing search functionality as follows.

  • The case data will still be fully encrypted in the DB as it is today

  • Specific fields we want to make “searchable” - as defined by the customer, we will save their hash value alongside the encrypted data.

  • Hashing will be done using SHA-256, and will include a secure random generated salt of 32 characters, which will be added to the value.

  • The salt is unique and will not be used anywhere else in the platform.

  • When the user enters a string to search, we will hash that value using all the salt values, and search those hash values.

Illustration of data flow when searching in Emedgene platform:

Drawing

Illustration of data flow when creating a case with searchable field in Emedgene platform:

Drawing

Appendix

Appendix: Control flows text

Write:

Client->Emedgene API: Add New Test Request 
note right of Emedgene API: Process Request 
Emedgene API->Key Vault: PHI 
note right of Key Vault: Encrypt 
Key Vault->Emedgene API: Encrypted PHI 
Emedgene API->Emedgene DB: Store Encrypted PHI

Read

Client->Emedgene API: Get Test Request 
emedgene DB->Emedgene API: Encrypted PHI 
Emedgene API->Key Vault: Encrypted PHI 
note right of Key Vault: Decrypt 
Key Vault->Emedgene API: Decrypted PHI 
Emedgene API->Client: Decrypted PHI

Write Searchable

Client->Emedgene API: Add New Test Request 
note right of Emedgene API: Process Request 
Emedgene API->Key Vault: PHI 
note right of Key Vault: Encrypt 
Key Vault->Emedgene API: Encrypted PHI 
Emedgene API-> Emedgene DB: Get Salt 
Emedgene API-> Emedgene API: Hash Value using Salt 
Emedgene API->Emedgene DB: Store Encrypted PHI + Hashed value

Read Searchable

Client->Emedgene API: Search string 
Emedgene API->AWS Secrets: Get Salt 
Emedgene API-> Emedgene API: Hash string using Salt 
Emedgene API->Emedgene DB: Search hashed string 
Emedgene DB->Emedgene API: Search results 
Emedgene API->Client: Search results
PreviousBring Your Own BucketNextSupported variant callers

Last updated

Was this helpful?