Customers can further protect sensitive data by encrypting particular fields during the Xplenty transformation process using their AWS Key Management Service (KMS) to securely store and manage the encryption keys. Xplenty calls the customer’s KMS for a data key as needed, and then uses this data key to generate the encrypted message (containing the ciphertext and the encrypted data key).
Symmetric Key Envelope Encryption
Reference: How the AWS Encryption SDK Works.
Create an AWS KMS Customer-Managed Encryption Key
Create a KMS customer master key for Xplenty encryption and decryption following this AWS guide.
Add Xplenty’s AWS Account to the Customer Managed Key

b. Specify Xplenty’s AWS account number: 099517174445
in the KMS Key Administrators page. This gives Xplenty permission to call your KMS for this customer-managed key’s data key. The KMS key policy can give further fine-grain control of Xplenty’s permissions, as an example, Xplenty might be given permission to encrypt data but never decrypt data (by removing “kms:Decrypt”
from the key policy actions).
c. Store your key’s ARN from the KMS customer-managed keys page as this will be needed later when calling Xplenty’s Encrypt and Decrypt functions.
Xplenty Encrypt Function
Configure a package in Xplenty and add a “Select” component. This will allow you to use Encrypt/Decrypt functions in your package.
Encrypt example with a custom encryption context
Encrypt example without a custom encryption context (not recommended)
Xplenty Decrypt Function
Decrypt function works in the same way through an Xplenty Select component in a package.