System Encryption
Select System Configuration > Security.
FME Flow, by default, encrypts sensitive data, including:
- Contents of the FME Flow Database.
- Passwords of FME Flow configuration backups.
- Secret keys for AWS S3 Resource connections.
This encryption is managed using an encryption key that is common to any FME Flow installation. You may wish to enhance encryption security by generating your own custom encryption keys, which you can apply on a rotating basis.
When using custom encryption keys, keep in mind the following:
- Do not lose track of any custom keys you generate. Data that is encrypted under a lost key cannot be accessed.
- When performing a Backup & Restore of an FME Flow configuration, you must restore to an FME Flow that uses the same custom encryption key as the backup.
- Any change to system encryption, including generating a new custom encryption key, or reverting to default encryption, also affects the FME Flow Database password. Because this password is encrypted during installation to a configuration file, FME Flow cannot automatically update it to use a new key. To ensure this password is based on the current key, you must manually encrypt it again following any changes performed here. For more information, see Encrypting the FME Flow Database Password.
Getting Started with Custom Encryption
Before generating and using custom encryption keys, you must enable custom encryption on the FME Flow. Expand System Encryption, and select Encryption Mode: Restricted.
To generate and use a new custom encryption key
- Generate a custom encryption key: Click Generate Key. On the Generating Key dialog, click Generate to invalidate the previous key, and use the newly-generated one.
- Download the newly-generated key, in case you want to reuse it later: Click Download Key.
To reuse a previously-generated custom encryption key
- Click Upload Key.
- Under Choose .jceks File, click Upload File to select the key you want to use. Alternatively, drag-and-drop the key over the "Drop file to upload" area.
To stop using custom encryption
Select Encryption Mode: Secure (Default).