GitHub AE is currently under limited release. Please contact our Sales Team to find out more.

Configuring data encryption for your enterprise

For encryption at rest, you can provide your own encryption key to encrypt your data under your encryption policies.

In this article

Note: Configuring encryption at rest with a customer-managed key is currently in beta and subject to change.

About data encryption

To provide a high level of security, GitHub AE encrypts your data while at rest in the data centers and while your data is in transit between users' machines and the data centers.

For encryption in transit, GitHub AE uses Transport Layer Security (TLS). For encryption at rest, GitHub AE provides a default RSA key. After you've initialized your enterprise, you can choose to provide your own key instead. Your key should be a 2048 bit RSA private key in PEM format.

The key that you provide is stored in a FIPS 140-2 compliant hardware security module (HSM) in a key vault that GitHub manages.

To configure your encryption key, use the REST API. There are a number of API endpoints, for example to check the status of encryption, update your encryption key, and disable your encryption key. Note that disabling your key will freeze your enterprise. For more information about the API endpoints, see "Encryption at rest" in the REST API documentation.

Adding or updating an encryption key

You can add a new encryption key as often as you need. When you add a new key, the old key is discarded. Your enterprise won't experience downtime when you update the key.

Your 2048 bit RSA private key should be in PEM format, for example in a file called private-key.pem.

-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
  1. To add your key, use the PATCH /enterprise/encryption endpoint, replacing ~/private-key.pem with the path to your private key.

    curl -X PATCH http(s)://hostname/api/v3/enterprise/encryption \
      -d "{ \"key\": \"$(awk '{printf "%s\\n", $0}' ~/private-key.pem)\" }"
  2. Optionally, check the status of the update operation.

    curl -X GET http(s)://hostname/api/v3/enterprise/encryption/status/request_id

Disabling your encryption key

To freeze your enterprise, for example in the case of a breach, you can disable encryption at rest by marking your encryption key as disabled.

  1. To disable your key and encryption at rest, use the DELETE /enterprise/encryption endpoint. This operation does not delete the key permanently.

    curl -X DELETE http(s)://hostname/api/v3/enterprise/encryption
  2. Optionally, check the status of the delete operation. It takes approximately ten minutes to disable encryption at rest.

    curl -X GET http(s)://hostname/api/v3/enterprise/encryption/status/request_id

To unfreeze your enterprise after you've disabled your encryption key, contact support. For more information, see "About GitHub Enterprise Support."

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.