By default, Smartsheet uses encryption to safeguard your data and help you maintain control over it
USM Content
With Customer Managed Encryption Keys (CMEK), you can add an additional layer of encryption to your Smartsheet data contained in cells and columns of sheets (customer data) using a key that is stored within Amazon Web Services’ Key Management Service (KMS). You own and manage this encryption key, giving you full control over such data.
You need an active AWS Key Management Service plan to use this feature.
Who are CMEKs for?
CMEKs are useful for organizations with sensitive or regulated data requiring them to manage their encryption keys. With CMEKs, eligible customers can use Smartsheet while maintaining complete control over customer data stored in the Smartsheet application.
How do CMEKs work?
All data stored by Smartsheet is encrypted with 256-bit AES encryption at-rest, using Smartsheet’s encryption keys. CMEKs provide an additional layer of 256-bit AES encryption on customer data using customer controlled Customer Master Keys (CMKs) within AWS Key Management System (KMS). In turn, this transfers control over the accessibility of customer data stored in Smartsheet to the customer.
Customers with CMEK enabled can revoke Smartsheet’s access to the customer data at any time. By destroying the CMK in AWS KMS, customers can effectively delete customer data from Smartsheet systems.
To enable Smartsheet CMEK with AWS KMS
Once you purchase the CMEK add-on, our account team works with your internal technical resources to enable the feature.
- Obtain the details needed to configure a CMK from Smartsheet.
- Configure the CMK in AWS KMS.
- Provide the Amazon Resource Name (ARN) to Smartsheet to complete the configuration steps.
Once the enablement process is complete, all newly created customer data is CMEK-encrypted. Existing customer data remains accessible and is encrypted through a data migration process. You will be notified when this process is completed.
What happens if a CMEK is deleted?
If a CMK used with Smartsheet CMEK is deleted, it can't be recovered, and Smartsheet will be unable to decrypt the associated customer data. Under these circumstances, customer data in Smartsheet is effectively lost, so it's critical to ensure AWS KMS management processes are in place to avoid accidental deletion of CMKs.
What should we do if the CMK in AWS KMS has been scheduled for deletion?
You need to reprovision the CMK in AWS KMS. In some instances, if the waiting period defined in your AWS KMS console for key deletion has passed, it may not be possible to regain access to customer data that was encrypted using the deleted key. For more information on deletion of CMKs in AWS KMS, refer to Deleting customer master keys - AWS Key Management Service.
How should CMKs used for CMEK be maintained in AWS KMS?
You need to establish processes to prevent accidental deletion of CMKs for Smartsheet CMEK within AWS KMS. If a CMK used for Smartsheet data encryption is deleted, the associated customer data will be unrecoverable.
Is CMEK available in Smartsheet Gov?
No. Currently, this feature is only available in Smartsheet commercial.
What data in Smartsheet is encrypted with CMEK?
Cell and column data (customer data) are typically considered critical or sensitive and can be encrypted with CMEK. Other content—such as images, attachments, comments, and proofs—is encrypted at rest and in transit using Smartsheet’s standard encryption methods but cannot be encrypted with CMEK at this time.
What type of CMK rotation does Smartsheet support?
Smartsheet supports auto-rotation of CMKs through AWS KMS. Smartsheet doesn't support manual rotation of CMKs. For additional information on how to enable auto rotation of CMKs in AWS KMS, see Rotating customer master keys - AWS Key Management Service.
Are assets automatically encrypted when transferred to a CMEK-enabled plan?
No. Assets transferred to a CMEK-enabled plan after CMEK activation and completed migrations aren't automatically encrypted.