.svg){kind=logo}
Overview
This guide explains how to configure and manage data encryption for your organization. Mend provides comprehensive encryption capabilities that protect your sensitive data both in storage and during transmission.
What Data is Encrypted
The following data types are automatically encrypted:
-
Code snippets stored in the system
-
Incremental data in storage
Important: Encryption applies to both new data and existing data in your organization.
Encryption Key Management
You have full control over your encryption keys with two management options:
Option 2: Mend.io-Managed Keys (Recommended)
-
Mend generates and manages encryption keys on your behalf
-
Cloud provider (AWS or Azure) handles key management
-
Simplified setup with enterprise-grade security
Option 1: Customer-Managed Keys
-
You provide and manage your own encryption keys
-
Full control over key lifecycle and security
-
Cloud provider (AWS or Azure) handles key management
-
Best for organizations with strict compliance requirements
How Encryption Works
Mend uses server-side encryption with the following approach:
-
Data is encrypted when stored and only decrypted when securely accessed
-
Keys are stored in your cloud provider's Key Management System (KMS)
-
Automatic key rotation and management processes ensure ongoing protection
-
Industry-standard AES-256 encryption is enforced for all data
Security Features
Encryption Standards
-
AES-256 encryption for all encrypted data
-
Separation of responsibilities: You or Mend control key material while AWS/Azure handle encryption/decryption
-
Secure key storage: All keys stored in cloud provider's KMS
-
Compliance alignment: Meets security and compliance best practices
Configuring Your Encryption Key
Prerequisites
-
Administrator permissions in your organization
-
Valid Bearer Token for API authentication
Step-by-Step Configuration
1. Generate Your Encryption Key
For AWS environments:
openssl rand -out aes-key.bin 32
For Azure environments:
openssl genrsa -out keypair.pem 4096
2. Upload the Key via API
Upload Key Material File - https://api-docs.mend.io/platform/3.0/sast/postencryptionkey
Endpoint:
POST /api/v3.0/orgs/{orgId}/settings/storage/encryption
Headers:
-
Authorization: Bearer {your-token} -
Content-Type: multipart/form-data
Parameters:
-
orgId: Your organization UUID -
key_material_file: The generated key file
3. API Response Codes
|
Code |
Response |
Description |
|---|---|---|
|
200 |
OK |
Key successfully uploaded |
|
400 |
Invalid key material format |
Check your key file format |
|
403 |
Unauthorized |
Verify your permissions |
|
429 |
Upload too soon |
Wait 10 minutes between uploads |
Important Notes
-
Key Change Frequency: You can change your encryption key at most once every 10 minutes
-
Key Format: Ensure your key file matches the requirements for your cloud environment
-
Backup: Always keep a secure backup of your encryption keys
Troubleshooting
Common Issues
"Invalid key material format" error:
-
Verify the key file was generated correctly
-
Check that the file size matches requirements (32 bytes for AWS, 4096-bit RSA for Azure)
-
Ensure the file is not corrupted
"Unauthorized" error:
-
Verify you have Administrator permissions
-
Check that your Bearer Token is valid and not expired
"Upload too soon" error:
-
Wait at least 10 minutes between key uploads
-
Check the timestamp of your last successful upload
Getting Help
If you encounter issues not covered in this guide:
-
Check your organization's audit logs for detailed error information
-
Contact Mend.io Support
-
Verify your cloud provider's KMS configuration
Best Practices
-
Regular Key Rotation: Plan regular key rotation as part of your security strategy
-
Secure Storage: Store key backups in a secure, encrypted location
-
Access Control: Limit key management access to authorized personnel only
-
Monitoring: Monitor key usage and access patterns through your cloud provider's tools
-
Documentation: Keep records of key changes and their effective dates