β Important
Enterprise Key Management is under controlled availability. To enable this feature for your account, contact Druva Support.
Overview
If your organizational policies require you to have full control over the encryption of the data backed up by inSync, Enterprise Key Management is the option for you. With Enterprise Key Management, you can use keys generated from your own AWS Key Management Service (KMS) account to encrypt and decrypt the data backed up by Druva inSync. This provides an additional layer of encryption over and above Druva's default data encryption. This feature is also called Bring Your Own Key (BYOK).
Enterprise Key Management is available on request, hence contact Support to acquire this feature for your account.
Benefits
Enterprise Key Management offers the following security benefits:
Use keys from your own KMS account to encrypt and decrypt the data encryption key.
Generate, revoke, rotate, and destroy the encryption keys as and when required from AWS account.
Control access to data backed up by Druva inSync.
Secure backed-up data.
Supported Keys
Customers can host their keys in their own AWS Key Vault. This feature also supports all AWS-integrated third-party enterprise keys.
Customer keys hosted in non-AWS environments, including Microsoft Azure or Google Cloud, are not supported.
Considerations
Consider the following points before you enable this feature for your account:
Once Enterprise Key Management is enabled for your account, you cannot revert to default Cloud Key Management.
Enterprise Key Management encryption supersedes Cloud Key Management. Hence, Cloud Key Management gets disabled when Enterprise Key Management is enabled for your account.
Prerequisites
Ensure the following before you enable Enterprise Key Management:
AWS account with Key Management Service (KMS) access, to manage customer master keys
Support has activated the Enterprise Key Management configuration for your account. Without this activation, the configuration fields do not appear on the inSync Management Console.
Enable Enterprise Key Management
Follow these steps to enable Enterprise Key Management for your organization:
A. Copy Druva's AWS account ID from the inSync Management Console:
From the Endpoints console, go to Settings and navigate to the Enterprise Key Management settings.
Click the copy button to copy the 12-digit numeric value of Druva's AWS account ID. β
Save the numeric value to be used on the AWS Key Management Service (KMS) console.
B. Get the key ARN from your AWS KMS account:
Login to AWS KMS Console.
On the menu, click Services and search for KMS. The Key Management Service (KMS) page opens.
Click Customer Managed Keys from the left pane. A list of managed keys is displayed.
Click Create key and click the Symmetric key on the Key type page.
On the Add labels page, provide the key Alias, used to identify the key and description, and click Next.
On the Key Administrators' page, select one or more administrators who can control the key. The key administrator selected here can rotate, and revoke the key that you are about to generate.
Select Allow key administrators to delete this key to enable the delete right for the administrators.
On the next page, click Add another AWS account. A text box is displayed. This setting defines the account with which the AWS KMS must communicate to authenticate access to the backed-up data.
Enter the 12-digit Druva AWS account ID copied from the Enterprise Key Management tab of the Druva Console.
Click Next to review the key policy. The page displays the permissions available for the Druva account when it accesses the key during backups and restores.
On the Review and edit key policy screen, type Allow under Allow use of the Key for Druva inSync.
Click Finish. The new key is generated and displayed on the AWS KMS console.
Click the key Alias on the console to view the key details. The General configuration details are displayed as below: β
Copy the value displayed under ARN from the AWS KMS console. This key is required to enable the Enterprise Key Management on the inSync Management Console.
C. Enable Enterprise Key Management from the console:
From the settings page, go to Enterprise Key Management.
Go to and select Enable Enterprise Key Management. The Enterprise key window appears.
Copy the newly created AWS KMS key ARN into the Update KMS key ARN dialog box and click Next. The ARN is validated and upon successful authentication, a confirmation message appears.
Click Save.
Click Continue and review the legal terms and conditions of enabling Enterprise Key Management.
Click Yes, I Agree. Enterprise Key Management gets enabled for your account.
KMS key ARN is displayed on the Key Management tab, with External Cloud Key Management status as Enabled.
Update the Enterprise Encryption key
You may have to update the Enterprise Encryption key to comply with your organizational security policies. However, it is important to note that you must keep the old and new encryption keys active in your AWS KMS service until you configure the new KMS key ARN on the inSync Management Console. This ensures all the required permissions are transferred from the old key to the new encryption key before the old key is purged by the AWS KMS.
To update the Enterprise Encryption key:
Get the new KMS key ARN using the steps provided above.
From the settings page, go to the Enterprise Key Management settings.
Click Update KMS Key ARN.
Copy the newly created KMS key ARN into the Update KMS key ARN dialog box and click Save. The KMS Key ARN upon successful validation is updated.
π Note
After successfully enabling Enterprise Key Management, if the key is disabled in AWS KMS or the AWS account is disabled, the backup and restore will fail.