Who can use this capability
Customer Managed Encryption Keys
By default, Smartsheet uses encryption to safeguard your data and help you maintain control over it.
With Customer Managed Encryption Keys (CMEK), you can add an additional layer of encryption to your Smartsheet data contained in cells and columns of sheets (customer data) using a key that is stored within Amazon Web Services’ Key Management Service (KMS). This encryption key is owned and managed by you, giving you full control over such data.
Who are CMEKs for?
CMEKs are useful for organizations that have sensitive or regulated data that requires them to manage their own encryption keys. With CMEKs, eligible customers can use Smartsheet while maintaining full control over customer data stored in the Smartsheet application.
How do CMEKs work?
All data stored by Smartsheet is encrypted with 256-bit AES encryption at-rest, using Smartsheet’s encryption keys. CMEKs provide an additional layer of 256-bit AES encryption on customer data using customer controlled Customer Master Keys (CMKs) within AWS Key Management System (KMS). In turn, this transfers control over the accessibility of customer data stored in Smartsheet to the customer.
Customers with CMEK enabled can revoke Smartsheet’s access to the customer data at any time. By destroying the CMK in AWS KMS, customers can effectively delete customer data from Smartsheet systems.
To enable Smartsheet CMEK with AWS KMS
Once you’ve purchased the CMEK add-on, you can begin the process of configuring key sharing in AWS KMS. Our enablement team will work with your internal technical resources to enable the CMEK feature.
- Obtain needed details for configuring a CMK from Smartsheet.
- Configure the CMK in AWS KMS.
- Provide the Amazon Resource Name (ARN) to Smartsheet to complete the configuration steps.
Once the enablement process is complete, all newly created customer data will be CMEK-encrypted. Existing customer data will remain accessible and will be encrypted through a data migration process. You will be notified when this process is completed.
What happens if a CMEK is deleted?
If a CMK used with Smartsheet CMEK is deleted, it can't be recovered and Smartsheet will be unable to decrypt the associated customer data. Under these circumstances, customer data in Smartsheet is effectively lost, so it's critical to ensure AWS KMS management processes are in place to avoid accidental deletion of CMKs.
What should we do if the CMK in AWS KMS has been scheduled for deletion?
You will need to reprovision the CMK in AWS KMS. In some instances, if the waiting period defined in your AWS KMS console for key deletion has passed, it may not be possible to regain access to customer data that was encrypted using the deleted key. For more information on deletion of CMKs in AWS KMS, refer to Deleting customer master keys - AWS Key Management Service.
How should CMKs used for CMEK be maintained in AWS KMS?
You will want to ensure that you have processes in place to avoid accidental deletion of CMKs used for Smartsheet CMEK within AWS KMS. If a CMK used for Smartsheet data encryption is deleted, the associated customer data will be unrecoverable.
Is CMEK available in Smartsheet Gov?
No. Currently, this feature is only available in Smartsheet commercial.
What data in Smartsheet is encrypted with CMEK?
Cell data and column data (customer data) is typically critical or sensitive data and can be encrypted with CMEK. Other data including images, attachments, discussions, and proofs are encrypted with data-at-rest and in-transit and can't be encrypted with CMEK at this time.
What type of CMK rotation does Smartsheet support?
Smartsheet supports auto-rotation of CMKs through AWS KMS. Smartsheet doesn't support manual rotation of CMKs. For additional information on how to enable auto rotation of CMKs in AWS KMS, see Rotating customer master keys - AWS Key Management Service.