Document Understanding
Document Understanding User Guide for Modern Experience
Last updated Jun 20, 2024

Customer-Managed Keys


Customer-Managed Keys (CMKs) meld security control with operational flexibility, a dedicated architecture if you want complete authority over your encryption keys. If you have full ownership of these keys, CMKs defend data contained in Software as a Service (SaaS) applications without compromising utility or convenience.

Note: For more information on encryption, check the Encryption page from the Automation CloudTM Admin Guide.

How does it work?

CMKs are designed around two primary needs. The first is to provide tenant-level encryption. This means you decide which of your stored data to encrypt, be it all or just parts of it.

The second is key management sovereignty. The master encryption key is yours to control, along with any additional decryption keys. Monitoring key access, how they're used, even the ability to revoke them at any point, are all under your command.

What does it solve?

The CMK architecture builds a secure barrier between client data and tenant service. By granting you control over key access and usage, your data remains shielded even if a breach of service is encountered. Simply revoke your keys, and any associated data artifacts are immediately inaccessible.

CMKs can also be a solution to adherence to complex, compliance-driven key management policies. Regular change in keys is key in information security. CMKs let you manage your rotation policies. This service also allows you to closely monitor your keys, making sure you're aware of any unsanctioned uses or attempts right when they happen.

Using Customer-Managed Keys

Tailored to keep your data secure, our CMKs provide you with full control of the encryption keys that protect your stored data. This page helps you enable CMKs in your tenant.

What are the requirements?

To make use of this function, you'll need to have a few prerequisites in place:
  • You must have an account on the Advanced tier of our platform. For mor information, check the About Licensing page from the Automation CloudTM Admin Guide.
  • You must specify your requirement for CMKs for Document Understanding.
  • Your keys must be configured and stored in Azure KeyVault.
Important: To enable CMK, it's essential that your tenant doesn't have data in Document Manager. Otherwise, you'll need to export the data from Document Manager. Any existing data left in Document Manager will become unusable.

How do I enable CMKs?

Follow these instructions to enable CMKs in your tenant:

  1. Submit a support ticket via the UiPath support channels with the request for Customer Managed Keys for Document Understanding. Make sure to add the tenant ID for the tenant you want encrypted with the CMK feature.
  2. After submitting the request, our Product Support team will enable CMKs on your tenant and update you through your request.
  3. Once enabled, you will be able to manage your key in the Encryption section found under Security Settings in your admin panel.

What are the implications?

Keep in mind that once CMKs are enabled, the following implications apply:
  • Customer data: All your data will be encrypted at both hardware and application layers. Existing data on that tenant is still accessible, but will be encrypted using only the UiPath key.
  • Data decryption: The decryption process will require UiPath support, ensuring your data remains secure. Even UiPath engineers, including those in Product Support, will not have access to this data.
  • Feature limitation: CMK activation will bring changes to some Document Understanding features. Full-text search will be disabled in Document Manager for Build and Monitor, and images won't be saved by the Metering service.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.