Enterprise Key Management Guide

Enterprise Key Management gives you control over the keys used to encrypt your Quip data. The keys you create are only used to encrypt your content, and Quip has no control over them, and only the access you permit us.

This guide will walk you through managing your EKM deployment, from initial setup and logging through key rotation and revocation. To learn more about EKM, see our Security page.

Setting up EKM

1. Plan your rollout

Prior to beginning setup, you’ll work hand in hand with your Quip representative to define a rollout plan and schedule for encrypting your documents. We can customize the deployment to your testing and verification needs, whether that means gradually ramping up a percentage of new threads encrypted before fully switching over all your existing content or a rapid deployment of all content simultaneously.

To start planning your rollout, get in touch with your Quip representative. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

2. Create your keys

  1. Set up Amazon KMS. See their Product Overviewand Getting Started Guide.
    1. You can also use CloudHSM via KMS Custom Key Store.
  2. Create three keys in KMS.
    1. Quip will never be able to access your keys directly. Adding the Quip AWS account here gives permission for us to send encrypted material to your keys using the AWS KMS APIs and get the decrypted material as an API response, but does not give us any other access.
    1. Primary Key: us-west-2
    2. Backup Key 1: us-east-2
    3. Backup Key 2: us-west-1

      If you’re setting up EKM for a VPC, work with your Quip representative to choose the correct regions.
    1. Follow the documentation for key creation in the KMS Create Keys guide.
    2. In step 4, Define Key Usage Permissions, scroll down to “Other AWS Accounts”, click “Add another AWS account”, and enter in the Quip AWS account number.
    3. Unless setting up EKM for a VPC, you must create the keys in these regions:

3. Start the setup process

When you’re ready to kick off the encryption process — there’s a deployment plan in place, and you’ve created your keys in KMS — let us know in the admin console.

  1. Go to the Shield Advanced Security tab in your admin console.
  2. Click “Begin Setup” under the Enterprise Key Management heading.
  3. Read the information, check that you understand it, and click “Next”.
  4. Enter the ARNs of your keys, and click Next.
    1. Make sure you’ve granted the correct permissions before completing this step!
    2. You can find the ARNs in your AWS Console. Go to the KMS service, and click “Customer managed keys” in the left sidebar. Then, for each of your keys, click the key to get taken to the key page. You should enter the the entire string under “ARN”, starting with arn:aws:kms, into the admin console.
  5. Double-check that everything has been entered correctly, and click “Begin Setup”.
  6. That’s it! We’ll begin setup according to the deployment plan. The length of your deployment will depend on your testing and verification needs, as well as the size of your Quip instance.

 

Locking Down Content

Locking down your entire site

You can revoke the Quip service’s access to your customer-managed keys by disabling the keys as described in the AWS KMS Documentation. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing your content.

  • Remember to disable each of your three keys.
  • Note that none of your users will be able to access any of your content while your customer-managed keys are disabled. If you want to revoke decryption access for a single thread while the rest of your Quip content remains in normal operation, see Locking Down a Single Document below.

To ensure your content is immediately cleared from all caches, search indices, and your users’ downloaded apps, you must also use our Clear Downloads option in the admin console:

  1. Load the admin console for your Quip site, and navigate to the Shield Advanced Security tab.
  2. Scroll down to the “Clear Downloads” section under the Enterprise Key Management heading.
  3. Click the “Clear Site” button and confirm.

To re-enable decryption of your content, re-enable your keys, and again click the “Clear Site” button to force the key settings to take effect immediately.

 

Locking down a single document

You can respond to targeted security threats or concerns by revoking access to a single document. This will prevent everyone — including all your users, Quip employees, and the Quip service — from decrypting and accessing that document, while your users have uninterrupted access to the rest of their Quip content.

To revoke access to a thread, you’ll need the identifier in its URL. Quip URLs have a 12-character unique identifier in them:

blobid0.png

If you have access to the content in Quip’s admin console, you can also use the identifier under “Thread ID” on the document’s page.

Once you have that identifier, here’s how you revoke access to a specific piece of content:

  1. Open your AWS Console and go to the KMS Service.
  2. Click on one of your keys, scroll down to where it says “Key Policy”, and click Edit.
  3. Paste in the Key Policy below.
  4. Replace the placeholder URL_IDENTIFIERis in the key policy template with your URL Identifier.
    1. Optionally, you can edit the Sid to include the name of the document, e.g. "Sid": "Deny decryption access to doc "2019 Financials",.
  5. Save the policy.
  6. Repeat steps 2-5 for each of your three keys.
  7. Now return to the Shield Advanced Security tab of the Quip Admin Console, and scroll down to the “Clear Document” button. Enter the URL for the document, and click “Clear Downloads” to clear the document from all downloads and caches.

To restore access to the document, delete the policies you added from the Key Policies section in KMS, and again use the Clear Document button to force the new key policies to take effect in Quip.

 

Key Policy:

{
"Sid": "Deny decryption access to a specific document",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::061931515800:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContext:RootID": "URL_IDENTIFIER"
}
}
},

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section