Customer Managed Encryption Keys

Applies to

Smartsheet Advance Package (Requires Enterprise Plan)

Capabilities

Who can use this capability

Customers that have purchased a package that includes CMEK have access to this feature. To find out about packages that include CMEK, contact our Sales team or your Smartsheet representative.

NOTE: To use this feature, you will also need an active AWS Key Management Service plan.

By default, Smartsheet uses encryption to safeguard your data and help you maintain control over it. With Customer Managed Encryption Keys (CMEK) you can add an additional layer of encryption to your Smartsheet data contained in cells and columns of sheets (Customer Data) using a key that is stored within Amazon Web Services’ Key Management Service (KMS). This encryption key is owned and managed by you, giving you full control over such data.

Custom Managed Encryption Key

Who are Customer Managed Encryption Keys for?

CMEKs are useful for organizations that have sensitive or regulated data that requires them to manage their own encryption keys. With CMEKs, eligible customers can use Smartsheet while maintaining full control over Customer Data stored in the Smartsheet application.

How do Customer Managed Encryption Keys work?

All data stored by Smartsheet is encrypted with 256-bit AES encryption at-rest, using Smartsheet’s  encryption keys. CMEKs provide an additional layer of 256-bit AES encryption on Customer Data using customer controlled Customer Master Keys (CMKs) within AWS Key Management System (KMS). In turn, this transfers control over the accessibility of Customer Data stored in Smartsheet to the customer.

Customers with CMEK enabled can revoke Smartsheet’s access to the Customer Data at any time. By destroying the CMK in AWS KMS, customers can effectively delete Customer Data from Smartsheet systems. 

Enabling Smartsheet CMEK with AWS Key Management Service

Once you’ve purchased the CMEK add-on, you can begin the process of configuring key sharing in AWS KMS. Our enablement team will work with your internal technical resources to enable the CMEK feature. The process for enabling the CMEK feature includes the following steps:

  1. Obtain needed details for configuring a CMK from Smartsheet.
  2. Configure the CMK in AWS KMS.
  3. Provide the Amazon Resource Name (ARN) to Smartsheet to complete the configuration steps.

Once the enablement process is complete, all newly created Customer Data will be CMEK encrypted. Existing Customer Data will remain accessible and will be encrypted through a  data migration process. You will be notified when this process has completed. 

Frequently Asked Questions

What happens if a CMEK is Deleted?

If a CMK used with Smartsheet CMEK is deleted, it cannot be recovered and Smartsheet will be unable to decrypt the associated Customer Data. Under these circumstances, the Customer Data in Smartsheet is effectively lost, so it is critical to ensure AWS KMS management processes are in place to avoid accidental deletion of CMKs.

What should we do if the CMK in AWS KMS has been scheduled for deletion?

You will need to reprovision the CMK in AWS KMS. In some instances, if the waiting period defined in your AWS KMS console for key deletion has passed, it may not be possible to regain access to Customer Data that was encrypted using the deleted key. For more information on deletion of CMKs in AWS KMS, please refer to Deleting customer master keys - AWS Key Management Service.

How should CMKs used for CMEK be maintained in AWS KMS?

You will want to ensure that you have processes in place to avoid accidental deletion of CMKs used for Smartsheet CMEK within AWS KMS. If a CMK used for Smartsheet data encryption is deleted, the associated Customer Data will be unrecoverable.

Is CMEK available in Smartsheet Gov?

No - currently this feature is only available in Smartsheet Commercial.

What data in Smartsheet is encrypted with CMEK?

Cell data and column data (defined above in this article as Customer Data) is typically critical or sensitive data and can be encrypted with CMEK. Other data including images, attachments, discussions, and proofs are encrypted with data-at-rest and in-transit and cannot be encrypted with CMEK at this time.

What type of Customer Master Key (CMK) rotation does Smartsheet support?

Smartsheet supports auto-rotation of CMKs through AWS KMS. Smartsheet does not support manual rotation of CMKs. For additional information on how to enable auto rotation of CMKs in AWS KMS, please see Rotating customer master keys - AWS Key Management Service.