β Important
The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact Support.
You will need to authorize and grant access to your AWS Parameter Store to generate and manage the data encryption key (ekey). The ekey once generated is used to encrypt the user data that is then backed up to Cloud. βThis is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store the users' ekey and has no access to the data.
π Note
You will need to authorize encryption keys before you can enable Airgap Backup of your Amazon Elastic File Systems.
Add Authorization
To get started with ekey management:
Log into your management console and navigate to the Organization for which you wish to add Authorization. Click the gear icon on the top navigation bar.
Click Druva Cloud to be directed to the Storage and Encryption page.
On the Encryption tab, click Authorize.
Select the Account(s) you want to authorize the keys for, and click Next.
On the E-Key Settings tab, select the following:
Parameter Store Name Prefix.
βπ Note: The AWS Account ID will be appended to the prefix specified here. Once defined, the prefix cannot be modified.Primary Region. This is the AWS Region for which you wish to Authorize the keys for.
Secondary Region (optional): Select the secondary region.
During backup of the account, if the string is not present in the primary region, the secondary region will be accessed.Authorization: Authorize creation of the encryption keys for the selected Accounts.
Click Save. The key is created.
Click Rotate Keys to replace your current encryption key with a new one. This security measure limits the risk of a compromised key and shortens the window of time an attacker has to access your data. Click Delete to remove a key.
π Note
You must add at least one authorization within an Organization. The encryption keys created will be used as part of the backup encryption of all Accounts within the selected Organization. You can add multiple authorizations for other AWS Accounts.
Rotate Encryption Key
Rotation is the process of periodically updating a secret. When you rotate a secret, you update the credentials in both the secret and the database or service. You can periodically choose to rotate and update a new key within the Parameter Store.
Log into your management console and navigate to the Organization for which you wish to add rotate keys.
Click the gear icon on the top navigation bar.Click Druva Cloud to be directed to the Storage and Encryption page.
Click Rotate Keys to rotate the secret and update credentials within the Parameter Store.
π Note
If you have multiple Authorizations defined, you may choose to Delete an authorization. Ensure that you have at least one authorization within an Organization.
Next steps
Once you authorize encryption to enable access to and manage your data encryption key (ekey), you can configure your backup set and set up a backup policy to automate your data protection strategy and manage the backup schedules and retention. For more information, see Configure backup sets for EFS resources.