Data Encryption Configuration Guide
Overview
This guide explains how to configure and manage data encryption for your organization. Mend provides comprehensive encryption capabilities that protect your sensitive data both in storage and during transmission.
What Data is Encrypted
The following data types are automatically encrypted:
Code snippets stored in the system
Incremental data in storage
> Important: Encryption applies to both new data and existing data in your organization.
Encryption Key Management
You have full control over your encryption keys with two management options:
Option 2: Mend.io-Managed Keys (Recommended)
Mend generates and manages encryption keys on your behalf
Cloud provider (AWS or Azure) handles key management
Simplified setup with enterprise-grade security
Option 1: Customer-Managed Keys
You provide and manage your own encryption keys
Full control over key lifecycle and security
Cloud provider (AWS or Azure) handles key management
Best for organizations with strict compliance requirements
How Encryption Works
Mend uses server-side encryption with the following approach:
Data is encrypted when stored and only decrypted when securely accessed
Keys are stored in your cloud provider's Key Management System (KMS)
Automatic key rotation and management processes ensure ongoing protection
Industry-standard AES-256 encryption is enforced for all data
Security Features
Encryption Standards
AES-256 encryption for all encrypted data
Separation of responsibilities: You or Mend control key material while AWS/Azure handle encryption/decryption
Secure key storage: All keys stored in cloud provider's KMS
Compliance alignment: Meets security and compliance best practices
Configuring Your Encryption Key
Prerequisites
Administrator permissions in your organization
Valid Bearer Token for API authentication
Step-by-Step Configuration
1. Generate Your Encryption Key
For AWS environments:
openssl rand -out aes-key.bin 32For Azure environments:
openssl genrsa -out keypair.pem 40962. Upload the Key via API
Endpoint:
POST /api/v3.0/orgs/{orgId}/settings/storage/encryptionHeaders:
Authorization: Bearer {your-token}Content-Type: multipart/form-data
Parameters:
orgId: Your organization UUIDkey_material_file: The generated key file
3. API Response Codes
Code | Response | Description |
|---|---|---|
200 | OK | Key successfully uploaded |
400 | Invalid key material format | Check your key file format |
403 | Unauthorized | Verify your permissions |
429 | Upload too soon | Wait 10 minutes between uploads |
Important Notes
Key Change Frequency: You can change your encryption key at most once every 10 minutes
Key Format: Ensure your key file matches the requirements for your cloud environment
Backup: Always keep a secure backup of your encryption keys
Troubleshooting
Common Issues
"Invalid key material format" error:
Verify the key file was generated correctly
Check that the file size matches requirements (32 bytes for AWS, 4096-bit RSA for Azure)
Ensure the file is not corrupted
"Unauthorized" error:
Verify you have Administrator permissions
Check that your Bearer Token is valid and not expired
"Upload too soon" error:
Wait at least 10 minutes between key uploads
Check the timestamp of your last successful upload
Getting Help
If you encounter issues not covered in this guide:
Check your organization's audit logs for detailed error information
Contact Mend.io Support
Verify your cloud provider's KMS configuration
Best Practices
Regular Key Rotation: Plan regular key rotation as part of your security strategy
Secure Storage: Store key backups in a secure, encrypted location
Access Control: Limit key management access to authorized personnel only
Monitoring: Monitor key usage and access patterns through your cloud provider's tools
Documentation: Keep records of key changes and their effective dates