Wrike Lock

Enterprise and Wrike for Marketers Enterprise accounts can purchase Wrike Lock as an add-on.

• Overview
• Important Information
• Benefits of Using Wrike Lock
• Set Up Wrike Lock with AWS KMS
• Emergency Recovery

Overview

By default, Wrike Workspace data and attachments are protected by a foundational encryption; however, Wrike Lock provides an additional layer of encryption. It encrypts the keys to your encrypted Wrike data with a master encryption key that is stored with Amazon Web Services’ Key Management Service (AWS KMS), thereby allowing you to take control of access to your data. The master encryption key is owned and managed by you and resides outside of Wrike.

Important Information

• You need an AWS KMS account to use Wrike Lock.
• It is possible to create emergency recovery keys which can be used to decrypt an account if the encryption key or access to AWS KMS is lost.
• All Wrike Workspace data (including Tasks, Folders, Projects, workflows, comments, and attachments) is encrypted.

Benefits of Using Wrike Lock

• Control over your data even though it’s in the cloud. You can monitor, grant, and revoke access to your encryption/decryption master key using the AWS console.
• An additional layer of encryption. Both your data and keys to it are encrypted.

Set Up Wrike Lock with AWS KMS

Step 1: Grant Wrike Access to the Key in Amazon KMS

1. Create an encryption key in one of the following regions:
   • us-east-1
   • us-east-2
   • us-west-1
   • us-west-2
   • eu-west-1
   • eu-central-1
   • eu-west-2
   • eu-west-3
2. Copy the key’s Amazon Resource Name and save it somewhere.

Step 2: Generate Emergency Recovery Keys (Optional)

1. Generate an asymmetric RSA key pair and export the public key in DER format encoded with a Base64 encoding. The recommended key length is 2048 bit or higher.
   Sample commands (Linux/Unix/Mac OS):
   > openssl genrsa -des3 -out wrike-recovery.pem 2048.
   > openssl rsa -in wrike-recovery.pem -pubout -outform DER | base64 >wrike-recovery.der
2. Securely store the emergency recovery key somewhere safe. You can use HSM to store the key. Your private key will never be available to Wrike.
3. Copy the public key in DER format and save it somewhere.

Step 3: Encrypt Your Wrike Data

1. Contact our Support Team and let us know that you want to enable encryption for your account. Provide:
   • The key’s ARN you obtained at Step 1.
   • (if you generated emergency recovery keys at Step 2) The public emergency recovery key in DER format.
2. Our Support team will provide you with a Wrike’s AWS Account ID. Grant that Account ID access to the key.
3. We will help you choose the best time for the encryption to take place and will encrypt your account data. 

Emergency Recovery

If your master encryption key is lost or is not accessible, contact us.