Field Encryptions require the registration of an Encryption Key. Formal currently supports creating keys using AWS KMS, with 3 management models possible:

  • Managed Cloud: Formal creates a new AWS KMS Key within the organization’s integrated Cloud Account.
  • SaaS (Formal Managed): Formal creates a new AWS KMS Key within Formal’s internal infrastructure and manages it for the customer.
  • On-premise: Organizations create and manage the AWS KMS key themselves.
Field Encryptions for a given Sidecar must use an Encryption Key registered under the same management model as the Sidecar.