Encryption – Quickbase Help

ZenTarget.4.log-1799136965.zip
20 KB Download

Your designated Quickbase realm administrator configures the data security features within your realm, including Encryption settings.

Customer data protection

Quickbase protects and encrypts customer data for all plans.

Quickbase protects data at rest using envelope encryption with AES-256 encryption keys. Each app receives a unique data key, which is used to encrypt the app and its data at rest. The master key is then used to encrypt the data key. Quickbase never stores unencrypted data to disk.
Quickbase encrypts data in transit using SSL/TLS.

By default, Quickbase uses a global master key, which is shared among multiple realms and never leaves the key management service (KMS).

Advanced Data Encryption

Access to this feature can change based on your Quickbase plan. Learn more about feature availability and plans in Quickbase capabilities.

You can use Advanced Data Encryption to encrypt data at rest using an encryption key that you can rotate on your own schedule. It uses your encryption key and is hosted by Quickbase, but it is managed on your own schedule. See the key rotation guidelines for best practices.

To enable this feature, contact your account team.

Key rotation guidelines

Quickbase suggests the following guidelines for security key rotation.

Basic rotation flow

You add a new default Quickbase Realm key
Any new apps created will start using the new Quickbase Realm key and old apps remain using the old key. Can be manually rotated with the customer opening a support ticket

Manually rotate your realm-specific master key on your schedule

If realm-specific master keys are enabled for your realm, click Encryption to open the Encryption page.
To rotate your master key to replace it with a new master key, click Create New Encryption Key. Quickbase updates the table to show your new key as the current master key.

Your key options

You can use these keys:

a Quickbase realm-specific key
an AWS hosted key
an Azure hosted key

These keys are cryptographically generated by Quickbase, AWS, or Azure.

Setting up auto-rotate with your AWS hosted key

You can use the AWS automatic key rotation feature for an AWS Key Management Service (AWS KMS) which generates new cryptographic material for the KMS key every year. For more information see Rotating AWS KMS keys.

AWS automatic key rotation adds a new default
Quickbase is not informed of this change
Your old app keys are not automatically re-encrypted, nor is there a way to manually do it
Only newly created apps will be encrypted with the new “real” key

If you do not wish to use AWS's automatic key rotation, and you create a new key manually, please open a Quickbase support ticket to manually re-encrypt old apps.

Important: If you delete the old key before the new apps are encrypted, your data will be irrevocably lost.

Setting up automated key rotation in Azure hosted key

You can use the automated key rotation in Azure Key Vault feature which generates a new cryptographic key. See Configure cryptographic key auto-rotation in Azure Key Vault for more information.

Automatic key rotation adds a new default
Quickbase is not informed of this change
Your old app keys are not automatically re-encrypted, nor is there a way to manually do it
Only newly created apps will be encrypted with the new “real” key

If you do not wish to use Azure's automatic key rotation, and you create a new key manually, please open a Quickbase support ticket to manually re-encrypt old apps.