Encrypt your metadata in the SBF Hosted Environment with Enterprise Managed Encryption Keys

Splunk Business Flow (SBF) stores metadata on your Flow Models and Flows in the SBF Hosted Environment. You can enable Enterprise Managed Encryption Keys (EMEK) to obscure your metadata stored in the SBF Hosted Environment. The encryption keys are stored in your local Splunk Enterprise instance and never shared with a Splunk-hosted system. Enterprise Managed Encryption Keys is an optional feature.

For more on what metadata is stored in the SBF Hosted Environment, see What metadata is stored in the SBF Hosted Environment?

What to know before you enable EMEK

The following sections outline how EMEK works in SBF and what metadata is encrypted with EMEK.

How EMEK works in SBF

The following steps outline what happens when you enable EMEK in SBF:

1. SBF generates an encryption key.
2. The SBF encryption key is stored in an encrypted passwords.conf file in Splunk Enterprise. For more, see passwords.conf in the Splunk Enterprise Admin Manual.
3. SBF encrypts all of the user-defined metadata from your tenant.
4. SBF sends the encrypted metadata to the SBF Hosted Environment.
5. The SBF encryption key is used to decrypt your metadata stored in the SBF Hosted Environment when you access your Flows and Flow Models.

Metadata that is encrypted when you enable EMEK

When you enable Enterprise Managed Encryption Keys, the following types of metadata are encrypted:

• User-defined labels, such as text descriptions of a Flow Model or Flow
• The search in the Flow Model
• Correlation ID, Step, and Attribute field names
• User inputted names, including these names:
  • Alias
  • Lanes
  • Custom Numeric Attributes
  • Filter Set Names
  • Notification Names

Metadata that is not encrypted when you enable EMEK

When you Enable Enterprise Managed Encryption Keys, the following types of metadata are not encrypted:

• Time that a Flow Model or Flow is created or updated
• Max Journey duration
• Tenant UUID
• Splunk Enterprise search head domain
• Authorization tokens
• User ID and preferences

Enable EMEK

Enable Enterprise Managed Encryption Keys to encrypt your metadata stored in the SBF Hosted Environment. By clicking Enable, you acknowledge the following risks and responsibilities involved with enabling metadata encryption:

• The key is required for encrypting and decrypting metadata in the SBF Hosted Environment
• Loss of access or mutation of the key will result in service interruption and/or permanent loss of data access by all parties.

Follow these steps to enable EMEK to encrypt your metadata stored in the SBF Hosted Environment.

Do not edit the sbf.conf file after you enable encryption as it might result in data loss.

Prerequisites

• You must have the sbf_set_encryption capability.
• You must have SBF version 2.0.0.

Steps

1. In SBF, click the gear icon.
2. Click Settings.
3. In Tenant Settings, click Manage under Enterprise Managed Encryption Keys.
   • You need the sbf_set_encryption capability to enable or disable EMEK.
4. Select Enable.
5. Click Submit.

Disable EMEK

If you disable EMEK, SBF decrypts all of the encrypted metadata in the SBF Hosted Environment and your metadata is stored in an unencrypted form. Follow these steps to disable Enable Enterprise Managed Encryption Keys and decrypt your metadata stored in the SBF Hosted Environment.
Prerequisites

• You must have the sbf_set_encryption capability.
• You must have SBF version 2.0.0.

Steps

1. In SBF, click the gear icon.
2. Click Settings.
3. In Tenant Settings, click Manage under Enterprise Managed Encryption Keys.
   • You need the sbf_set_encryption capability to enable or disable EMEK.
4. Select Disable.
5. Click Submit.