System Encryption
Select System Configuration > Security.
FME Flow encrypts sensitive data, including:
- Contents of the FME Flow Database.
- Passwords of FME Flow configuration backups.
- Secret keys for AWS S3 Resource connections.
The default System Encryption setting (Encryption Mode) is Standard. This setting applies a custom encryption key that is unique to your FME Flow installation. In this mode, you can enhance encryption security further by generating new custom encryption keys, and applying them on a rotating basis.
When generating new custom encryption keys, keep in mind the following:
- Do not lose track of any custom keys you generate. Data that is encrypted under a lost key cannot be accessed.
- When performing a Backup & Restore of an FME Flow configuration, you must restore to an FME Flow that uses the same custom encryption key as the backup.
- Any change to system encryption, including generating a new custom encryption key, or reverting to default encryption, also affects the FME Flow Database password. Because this password is encrypted during installation to a configuration file, FME Flow cannot automatically update it to use a new key. To ensure this password is based on the current key, you must manually encrypt it again following any changes performed here. For more information, see Encrypting the FME Flow Database Password.
Alternatively, FME Flow provides the option of using an encryption key that is common to any FME Flow installation. This Weak encryption mode is not the default System Encryption setting, and is not recommended.
Working with Custom Encryption Keys
Before generating and using custom encryption keys, ensure that Standard encryption mode is enabled. Expand System Encryption, and select Encryption Mode: Standard.
To download the current custom encryption key
- Click Download Key.
To generate and use a new custom encryption key
- Click Generate Key. On the Generating Key dialog, click Generate to invalidate the previous key, and use the newly-generated one.
- Download the newly-generated key, in case you want to reuse it later: Click Download Key.
To reuse a previously-generated custom encryption key
- Click Upload Key.
- Under Choose .jceks File, click Upload File to select the key you want to use. Alternatively, drag-and-drop the key over the "Drop file to upload" area.
To stop using custom encryption
- Select Encryption Mode: Weak.