Documentation
HomeCommunityQuickStartsStatus
Start typing to search…

About using customer-managed keys in Sigma

If you want to manage the encryption keys used to protect the data in your Sigma organization, set up customer-managed keys (CMK). For instructions, see Set up customer-managed keys.

🚩

This is a premium feature. To enable it for your Sigma organization, contact your Sigma Account Executive or contact Sigma Support.

This document provides details about Sigma-managed keys and customer-managed keys, including what data in Sigma is encrypted by different types of keys.

📘

This feature isn't supported in all regions. To check if it is supported in your region, see Supported data platforms and feature compatibility.

About CMK

Sensitive data, such as credentials used to access your connected data platform, is encrypted before it is stored by Sigma. Encryption keys are stored and managed in the key managements service that corresponds to your Sigma organization's cloud provider. The sensitive data can be encrypted either by Sigma-managed keys or customer-managed keys:

  • Sigma-managed keys are keys that are owned and managed by Sigma Computing. Sigma Computing has full control of the keys and manages the key creation, rotation and deletion process.
  • Customer-managed keys are keys owned and managed by individual Sigma customers in your own cloud provider. As a Sigma customer, you can encrypt your sensitive data with keys that you manage. You have full control over these keys, including the usage of the keys by Sigma.
graph TD
    Customer["Customer KMS"]
    EncService["Encryption Service"]
    
    Customer <-->|encrypt/decrypt| EncService
    
    EncService --> Data["Secrets & Documents"]
    EncService --> DB["MySQL"]
    EncService --> Storage["Cloud Storage"]
    
    style Customer fill:#e1f5ff
    style EncService fill:#fff3e0
    style Data fill:#f3e5f5
    style DB fill:#f3e5f5
    style Storage fill:#f3e5f5

Data encrypted in Sigma

When you use Sigma, your data is encrypted. If you use customer-managed keys, those keys are used to protect specific kinds of data. The following table describes what data Sigma stores, where it is stored, and how it is protected whether you use CMK or not:

Data typeStorage locationProtection without CMKProtection with CMK
Secrets and credentialsMySQL databaseSigma-managed keysCustomer-managed keys
Document metadataCloud storageEncryption at restCustomer-managed keys
Files exported via APICloud storageEncryption at restCustomer-managed keys
Other exportsNot storedEncrypted in transit by TLS 1.2+Encrypted in transit by TLS 1.2+
Data platform metadataMySQL databaseSigma-managed keysSigma-managed keys
CSV file uploadsCloud storageEncryption at restEncryption at rest

For more details about each data type, refer to the following list:

  • Secrets and credentials: Secrets and credentials added to Sigma are treated as sensitive data.
  • Document metadata: For example, workbook names, data model names, and references to elements in those documents.
  • File exports requested via API: Files generated by an API request to the Export data from a workbook (POST /v2/workbooks/{workbookId}/export) endpoint. These files must be stored so that they can be downloaded using the Download an exported file (GET /v2/query/{queryId}/download) endpoint. Sigma has strict retention rules to delete these files automatically.
  • Other exports: Files downloaded from the Sigma UI, such as from a workbook or using an action, or files exported to a destination, such as from a workbook, using an action, or using the Export a workbook (POST /v2/workbooks/{workbookId}/send) endpoint.
  • Data platform metadata: For example, database or catalog names, schema names, and table names.
  • CSV file uploads: CSV-formatted files uploaded to Sigma, for example to use in an input table or as a data source for a data element. Unable to be protected with customer-managed keys due to compatibility issues with how certain data platforms pull data into tables from cloud-based blob storage. Files are retained for up to 24 hours.

Sigma key management architecture

Sigma uses envelope encryption and data keys to manage customer-managed keys. You own the cloud key management service (KMS) keys (root keys) and Sigma uses those root keys to encrypt the data keys:

  • Root keys are stored in your KMS. You own these keys. Sigma makes encryption and decryption requests to the KMS via API.
  • Data keys are owned and stored by Sigma. Data keys are encrypted using the root key and cached for up to 15 minutes.

When you set up CMK, you set up the root keys in your cloud environment (such as AWS or Azure) and manage the keys yourself. Sigma Computing then works with you to link the keys that you manage to your Sigma organization and the Sigma encryption service.

As a customer, you can revoke the access that Sigma has to your root keys, preventing Sigma from accessing the underlying encrypted data.

When an encryption request is made, Sigma checks if the keys are cached and if not, retrieves them from the MySQL database. If the keys are expired, the data keys are rotated and written to the cache and the MySQL database. If the keys are not expired, data key decryption is performed and written to cache, then used by the encryption algorithm and the encrypted data is returned.

Key rotation and customer-managed keys

Sigma Computing does not enforce key rotation for customer-managed keys because the keys are managed by you, the customer. Sigma can rotate customer-managed keys when requested. Key rotation does not incur downtime.

Key rotation schedules

Sigma-managed keys are rotated on the following schedules:

  • Data keys are rotated every 30 days.
  • Root keys are rotated every 180 days.

Customer-managed keys are rotated on the following schedules:

  • Data keys are rotated every 30 days.
  • Root key rotation is based on the requirements of the customer, as specified in their support request.

Request key rotation of customer-managed keys

To rotate customer-managed keys, contact Sigma and partner on the following steps:

  1. You contact Sigma Support to request CMK rotation.
  2. You set up new keys and provide the new keys to Sigma. Ensure that both old and new keys are available during key rotation to make sure Sigma does not lose access to any data.
  3. Sigma Computing initiates root key rotation. The data keys used by Sigma are rekeyed with the new root key.
  4. Sigma Computing confirms that key rotation is complete.
  5. You can safely deprecate and delete the old root keys.

It is your responsibility to manage root keys, including monitoring age and expiry.

Revoking customer-managed keys

If you revoke or remove permissions for the Sigma encryption service to use the customer-managed keys and Sigma loses access, Sigma might not function as expected. If you revoke access, you might experience any or all of the following:

  • Inability to connect to your data platform, because Sigma will not be able to decrypt data warehouse credentials.
  • Inability to search for documents, because Sigma will not be able to decrypt workbook metadata.
  • Failure to authenticate to Sigma, as Sigma will not be able to decrypt OAuth tokens.

Updated about 7 hours ago

Resources
Sigma home
Blog
Learn
Sigma Community
© Sigma Computing