Bring Your Own Key Encryption

The Bring Your Own Key (BYOK) feature in Magnit VMS allows you to encrypt data for a client organization where the client has custody of the encryption key and controls the encryption process. Sensitive data fields in the application's database are encrypted. The encryption includes 48 data fields that may contain personal data for candidates, workers, managers, engagements and client organizations.

Once the feature is enabled at the parent level, the encryption is applied to all operational and business units configured in the client organization. The bulk encryption/decryption is performed by the system according to the following schedule:
  • 8-00 PM - 08-00 AM CET for EU Magnit VMS
  • 6-00 PM - 08-00 AM PT for US Magnit VMS

The system uses the AES (Advanced Encryption Standard, ISO/IEC 18033-3). The key can be either AES-256 or AES-192. A key can be generated by the system, or input by a user. The key may be uploaded as an encrypted file using a Magnit public key.

It is important to note that enabling encryption affects the Reporting module in the VMS. Once enabled, only reports that support the reading of encrypted fields in the database are visible to users. See Reporting.

An BYOK Admin user role within the client organization is required to manage the encryption details once the feature is enabled. This admin role has access to a control panel within the Manager view that allows the user to create, modify, or revoke a key value that the system uses to encrypt the data. This role needs to be applied separately to a manager user during the feature set up.
Note: Client managers with the BYOK Admin role are required to complete the 2-Step verification workflow every time that they log in. This requirement applies to client organizations that use SSO integrations.

The administrator role is applied to client manager users during user creation, or set in the user's account information. A list of BYOK administrators appear in the BYOK configuration for the client organization (Configuration > Security > BYOK). For more information about the BYOK Admin role, see Client User Permissions.

Along with sensitive field visibility in the user interface, you can also apply encryption to a client organization's custom fields using the feature. Only new custom fields configured after the feature is enabled can be encrypted. For more information about custom field encryption, see Add Custom Fields.

The encryption does not include passwords, security answers, or supplier banking information. It is also important to note that an administrator can rotate a key value as needed, or remove a key value with or without encryption. If an administrator revokes a key value without setting the decryption option, any native or custom fields that have been previously encrypted remain encrypted in the user interface. See Rotate Encryption Key and Revoke Encryption Key.

The system uses email notifications to BYOK administrators when actions are taken within the feature (for example, key changes). See Encryption Notifications.