Enterprise Key Management Guide

Enterprise Key Management gives you control over the keys used to encrypt your Quip data. The keys you create are only used to encrypt your content, and Quip has no control over them, and only the access you permit us.

This guide will walk you through setting up your EKM deployment, from initial setup and logging through key rotation and revocation. To learn more about EKM, see our Security page.

Setting up EKM

1. Plan your rollout

Prior to beginning setup, you’ll work hand in hand with your Quip representative to define a rollout plan and schedule for encrypting your documents. We can customize the deployment to your testing and verification needs, whether that means gradually ramping up a percentage of new threads encrypted before fully switching over all your existing content or a rapid deployment of all content simultaneously.

To start planning your rollout, get in touch with your Quip representative. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

2. Create your keys

  1. Set up Amazon KMS. See their Product Overview and Getting Started Guide.
  2. Create three keys in KMS.
    1. Quip will never be able to access your keys directly. Adding the Quip AWS account here gives permission for us to send encrypted material to your keys using the AWS KMS APIs and get the decrypted material as an API response, but does not give us any other access.
  3. Follow the documentation for key creation in the KMS Create Keys guide.
  4. In step 2, Add Labels, add a tag labeling the key for use by Quip EKM. (You can name it anything you like, but you must add this label):
    1. "Tag key" =quip-ekm
    2. Leave "Tag value" blank.
  5. In step 4, Define Key Usage Permissions, scroll down to “Other AWS Accounts”, click “Add another AWS account”, and enter in the Quip AWS account number.
    1. Unless setting up EKM for a VPC, you must create the keys in these regions:
      Primary Key: us-west-2
      Backup Key 1: us-east-2
      Backup Key 2: us-west-1
    2. If you’re setting up EKM for a VPC, work with your Quip representative to choose the correct regions.

3. Start the setup process

When you’re ready to kick off the encryption process — there’s a deployment plan in place, and you’ve created your keys in KMS — let us know in the admin console.

  1. Go to the Shield Advanced Security tab in your admin console.
  2. Click “Begin Setup” under the Enterprise Key Management heading.
  3. Read the information, check that you understand it, and click “Next”.
  4. Enter the ARNs of your keys, and click Next.
    1. Make sure you’ve granted the correct permissions before completing this step!
    2. You can find the ARNs in your AWS Console. Go to the KMS service, and click “Customer managed keys” in the left sidebar. Then, for each of your keys, click the key to get taken to the key page. You should enter the the entire string under “ARN”, starting with arn:aws:kms, into the admin console.
  5. Double-check that everything has been entered correctly, and click “Begin Setup”.
  6. That’s it! We’ll begin setup according to the deployment plan. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

Revoking key access

Revoking access to a single document

You can respond to targeted security threats or concerns by revoking access to a single document. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing that document, while your users have uninterrupted access to the rest of their Quip content.

To revoke access to a thread, you’ll use both the Quip admin console and the AWS KMS admin console.

First, you’ll get the secret document ID you’ll use to revoke access to the document. To do that:

  1. Navigate to the Shield Advanced Security tab of the Quip admin console.
  2. Click “Get Document ID”.
  3. Paste in the URL of the document you’d like to block access to, and click click “get Document ID”.
  4. Copy the Document ID that returns on the next modal screen. Save this ID in a safe place (outside Quip), because you’ll need it to restore access later if you choose to do so, and this lookup tool won’t work while access to the document is revoked.

Once you have that identifier, here’s how you revoke access to a specific piece of content:

  1. Open your AWS Console and go to the KMS Service.
  2. Click on one of your keys, scroll down to where it says “Key Policy”, and click Edit.
  3. Paste in the key policy (below).
  4. Replace the placeholder ACCOUNT with your AWS account number.
  5. Replace the placeholder DOCUMENT_ID in the key policy template with your Document ID.
    1. Optionally, you can edit the Sid to include the name of the document, e.g. "Sid": "Deny decryption access to doc "2020 Financials",.
  6. Save the policy.
  7. Repeat steps 2-5 for each of your three keys.
  8. Now return to the Shield Advanced Security tab of the Quip Admin Console.
    1. Scroll down and click the “Clear Document” button.
    2. Enter the Document ID, and click “Clear Downloads” to clear the document from all downloads and caches.

To restore access to the document, delete the policies you added from the Key Policies section in KMS, and again use the Clear Document flow to force the new key policies to take effect in Quip.

Revoking access to the entire site

You can revoke the Quip service’s access to your customer-managed keys by disabling the keys as described in the AWS KMS Documentation. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing your content.

  • Remember to disable each of your three keys.
  • Note that none of your users will be able to access any of your content while your customer-managed keys are disabled. If you want to revoke decryption access for a single thread while the rest of your Quip content remains in normal operation, see “Revoking access to a single document” above.

Downloaded content will be automatically cleared from all caches, search indices, and downloaded apps. While the key is disabled, no one will be able to log into your Quip site, and the admin console will not work.

To re-enable decryption of your content, re-enable your keys. Access will be restored automatically; all users will be able to log in and resume work in Quip as normal.

Key Policy

"Sid": "Deny decryption access to a specific document",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT:root"
"Action": [
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContext:RootID": "DOCUMENT_ID"
Was this article helpful?
0 out of 0 found this helpful

Articles in this section