Skip to main content
All CollectionsMicrosoft Dynamics 365
Enterprise Key Management for Microsoft Dynamics 365
Enterprise Key Management for Microsoft Dynamics 365

This article provides information on how to use keys from your AWS KMS account to encrypt and decrypt your data.

Updated yesterday

📝NOTE

The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact support.

Overview

As part of cloud asset protection, Druva backs up customer data on Druva AWS instances, separating it from source data. Historically, this data has been encrypted using the Druva Key Management Service.

If your organizational policies require complete control over the encryption of the data backed up by Druva, you can opt for Enterprise Key Management. With Enterprise Key Management, you can use keys from your AWS Key Management Service (KMS) account to encrypt and decrypt your data. It adds an extra layer of security to Druva's default encryption.

❗ Important

Enterprise Key Management, also known as Bring Your Own Keys (BYOK), is available on a controlled availability basis and can be enabled upon request. To activate this feature for your account, please reach out to support.

Supported Keys

  • Customers can host their keys in their own AWS Key Vault. This feature also supports all AWS-integrated third-party enterprise keys.

  • Customer keys hosted in non-AWS environments, including Microsoft Azure or Google Cloud, are not supported.

Benefits

Enterprise Key Management provides the following security benefits:

  • Use the keys from your KMS account to encrypt and decrypt your data.

  • Easily manage your encryption keys within your AWS account: generate, revoke, rotate, and destroy them as needed.

  • Control access to data backed up by Druva.

  • Secure backed-up data.

Considerations

Before enabling Enterprise Key Management for your account, take note of these critical considerations:

  • No turning back: Once you switch to Enterprise Key Management, you can't return to the default Cloud Key Management.


    ❗Important
    When Switching Customer-Managed AWS KMS Keys
    During a transition to a new customer-managed AWS KMS key, do not deactivate the old customer-managed AWS KMS key until the new key has been fully integrated within the Druva Console. This ensures uninterrupted data access throughout the process.

  • Superior encryption: Enterprise Key Management takes precedence over Cloud Key Management. Enabling Enterprise Key Management will automatically disable Cloud Key Management for your account.

Prerequisites

Before you start using Enterprise Key Management, make sure you have the following:

  • An AWS account with access to the Key Management Service (KMS) for managing customer master keys.

  • The Druva support team has activated your account's Enterprise Key Management configuration.
    Without this activation, you won't see the configuration fields on the Druva Console.

Supported Workflows

These workflows can use your key to encrypt or decrypt your data when Druva runs them:

  • Backups: Scheduled and manual backups.

  • Restores: In-place and Sandbox restore of your Microsoft Dynamics 365 entities to your account.

  • Downloads: Download the data to a device such as a laptop or a desktop.

Important

If you revoke an encryption key's access, then the subsequent backups, restores, or downloads will fail.

Enable Enterprise Key Management

Follow these steps to enable Enterprise Key Management for your organization:

Step 1: Copy Druva's AWS account ID from the Druva Console

Open the Druva console and navigate to Settings.

  1. Click Endpoints & SaaS Apps Settings.

  2. Copy your 12-digit Druva AWS account ID from the Enterprise Key Management section.

    Copy Druva's AWS account ID from the Druva Console

  3. Save this numeric value for the AWS KMS console.

Step 2: Get the key ARN from your AWS KMS account:

  1. Login to AWS KMS Console.

  2. Click Services in the menu, then search for KMS. The KMS page opens.

  3. Click Customer managed keys from the left pane. A list of managed keys is displayed.

  4. On the Key type page, click the Create key > Symmetric key.

  5. On the Add labels page, provide the key Alias used to identify the key and description, and click Next.

  6. Select one or more administrators who can control the key on the Key Administrators' page. The key administrator selected here can rotate and revoke the key you are about to generate.

  7. Select Allow key administrators to delete this key to enable the delete right for the administrators.

  8. On the next page, click Add another AWS account. A text box is displayed. This setting defines the account with which the AWS KMS must communicate to authenticate access to the backed-up data.

  9. Enter the 12-digit Druva AWS account ID copied from the Enterprise Key Management tab of the Druva Console.

  10. Click Next to review the key policy. The page displays the permissions available for the Druva account when it accesses the key during backups and restores.

  11. On the Review and edit key policy screen, type Allow under Allow use of the Key for Druva inSync.

  12. Click Finish. The new key is generated and displayed on the AWS KMS console.

  13. Click the key Alias on the console to view the key details. The General configuration details are displayed as below:

    The General configuration details are displayed as below:

  14. Copy the value displayed under ARN from the AWS KMS console. This key is required to enable the Enterprise Key Management on the Druva Console.

Step 3. Enable Enterprise Key Management from the Druva console

  1. From the settings page, go to Enterprise Key Management.

  2. Go to and select Enable Enterprise Key Management. The Enterprise key window appears.

  3. Copy the newly created AWS KMS key ARN into the Update KMS key ARN dialog box and click Next. The ARN is validated, and a confirmation message appears upon successful authentication.

  4. Click Save.

  5. Click Continue to review the legal terms and conditions for enabling Enterprise Key Management.

  6. Click Yes, I Agree. Enterprise Key Management gets enabled for your account.

  7. KMS key ARN is displayed on the Key Management tab, with External Cloud Key Management status as Enabled.

Updating the Enterprise Encryption key

You may have to update the Enterprise Encryption key to comply with your organizational security policies. However, it is essential to note that you must keep the old and new encryption keys active in your AWS KMS service until you configure the new KMS key ARN on the Druva Console. This ensures all the required permissions are transferred from the old key to the new encryption key before the AWS KMS purges the old key.

To update the Enterprise Encryption key:

  1. Get the new KMS key ARN using the steps provided above.

  2. From the settings page, go to the Enterprise Key Management settings.

  3. Click Update KMS Key ARN.

  4. Copy the newly created KMS key ARN into the Update KMS key ARN dialog box and click Save. The KMS Key ARN, upon successful validation, is updated.

Related Articles
Enterprise Key Management for Endpoints
Enterprise Key Management for Microsoft 365
Enterprise Key Management for Google Workspace
Enterprise Key Management for Microsoft Entra ID
Configure Cloud KMS for Microsoft Dynamics 365
Did this answer your question?