Slack Enterprise Key Management
Slack Enterprise Key Management (EKM) is a security add-on for the Enterprise Grid and GovSlack plans you can use to control and get visibility into how your organization’s data is accessed in Slack.
What to expect
- Use your own encryption keys (stored in Amazon's Key Management Service) to encrypt messages and files.
- To minimize disruption for members of your organization, you can revoke granular access to encryption keys.
- Org members can use Slack as normal, even if some data has restricted access.
- With data residency for Slack, new EKM customers can choose to create and store encryption keys in a specific data region.
How Slack EKM works
Data encrypted with customer-controlled keys
The following categories of customer data will be encrypted at rest with keys stored in the customer’s AWS account:
- Messages, canvases, and snippets
- Files (ex., images, docs, clips, etc.) uploaded to the Slack Service
- Search index of Customer Data
- Messages and files generated by apps or bots (except Slackbot)
- Sidebar custom sections
- Any data collected by an app deployed to Slack's managed infrastructure, as well as the app's datastores, developer secrets, and logs
Data encrypted with Slack-controlled keys
The following categories of data may be encrypted at rest with keys generated and stored by Slack:
- Slack member profiles, including custom statuses
- Channel names, topics, descriptions, and bookmarks
- File names
- Workspace and channel membership information
- Slackbot messages
- Data used to measure seat count, usage, and revenue
- Data used for analytics and to measure quality of service, ex. sanitized logs
- IDs generated by Slack on behalf of the customer
Note: When you enroll in EKM, any existing data will be encrypted with customer-controlled keys.
If external organizations are working together in Slack Connect, the shared contents are covered by EKM in the following ways:
- Each organization’s messages will be encrypted with their EKM keys, if applicable.
- The search index for Slack Connect channels with be duplicated and encrypted with each customer’s EKM keys.
- If an organization is removed from a Slack Connect channel, they'll retain an archived copy if they have permission to post, invite, and more.
Ready to learn more? Contact our Sales team to get started.
Who can use this feature?
Org Owners and Org Admins
- Available for the Enterprise Grid plan