Overview
In order to initiate the scheduled backup of any SaaS Apps data, inSync requires access to the data encryption key (ekey). The ekey is used to encrypt user data when it is backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store the ekey of the users and has no access to the data.
By default, inSync requires you to enable the Cloud Key Management feature from the inSync Management Console. This feature is a secure method for backing up SaaS Apps data.
The Cloud Key Management feature utilizes the AWS Cloud Key Management System (AWS KMS) to generate the Data Key. The Data Key is then used to encrypt the ekey. The encrypted-ekey is then stored in the inSync Cloud. During the scheduled SaaS Apps backup, the encrypted-ekey in combination with the Data Key is utilized to source the ekey. This ekey is then utilized to complete the backup.
If your organizational policies require complete control over the encryption of the data backed up by Druva, Enterprise Key Management is the solution for you. With Enterprise Key Management, you can use keys from your AWS Key Management Service (KMS) account to encrypt and decrypt your data. It adds an extra layer of security to Druva's default encryption.
Enterprise Key Management is available upon request. This feature is also called Bring Your Own Key (BYOK). To learn more, see Enterprise Key Management.
π Note
The Data Key is rotated every three months from the date the Cloud Key Management feature is enabled for your account.
β Important
Once the Cloud Key Management feature is enabled, the feature cannot be disabled from the inSync Management Console.
Druva does not store the ekey of the users and has no access to the data.
The AWS KMS is an encryption and ekey management web service. Druva utilizes AWS KMS services to provide its inSync Customers the feature to encrypt and decrypt the SaaS Apps data through a secure ekey management system. The AWS KMS provides the following benefits:
Fully Managed - Provides a fully managed service and features scalability to meet the requirements of the encryption keys which are used to encrypt your data.
Data encryption - Creates and manages a unique data key for encryption of the data before storage.
Compliance - Certified security and quality controls.
To know more about the AWS KMS benefits, see AWS Cloud Key Management System .
Prerequisites
Submit a request to Support asking them to activate the Cloud Key Management feature for your account.
Post confirmation from the Druva Support team, perform the following procedure to enable the Cloud Key Management feature in the inSync Management Console.
Configure Cloud Key Management
Before you begin, ensure:
You have received the confirmation email from Support about activation of the Cloud Key Management feature for your account.
You are logged on to inSync either as a Cloud administrator or you are managing the SaaS Apps users and groups from your administrator account.
Procedure
On the Endpoints/SaaS Apps console, click and select Endpoints & SaaS Apps Settings.
Go to the Key Management tab and click edit .
Select the Enable Cloud Key Management feature checkbox to click save.
β Important
Once you enable the Cloud Key Management from the inSync Management Console, you cannot disable it.
Next Step
Configure and integrate inSync with the SaaS Apps based on your organization's requirements.