You will need to authorize and grant access to your AWS Parameter Store to generate and manage the data encryption key (ekey). The ekey once generated is used to encrypt the user data that is then backed up to Druva Cloud. βThis is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store the users' ekey and has no access to the data.
π Note
You will need to authorize encryption keys before you can enable Airgap Backup of your EC2 and EBS resources.
Add Authorization
To get started with ekey management:
Log into your management console and navigate to the Organization for which you wish to add Authorization. Click the gear icon on the top navigation bar.
Click Druva Cloud to be directed to the Storage and Encryption page.
On the Encryption tab, click Authorize.
Select the Account(s) you want to authorize the keys for, and click Next.
On the E-Key Settings tab, select the following:
Select the Parameter Store Name Prefix.
βπ Note: The AWS Account ID will be appended to the prefix specified here. Once defined, the prefix cannot be modified.Select the Primary Region. This is the AWS Region for which you wish to Authorize the keys for.
Optionally, you may select a Secondary Region as well, which will be used when the Primary Region is unavailable.
Select the Authorization check box to Authorize creation of the encryption keys for the selected Accounts.
π Note
You must add at least one authorization within an Organization. The encryption keys created will be used as part of the backup encryption of all Accounts within the selected Organization. You can add multiple authorizations for other AWS Accounts.
Rotate Encryption Key
Rotation is the process of periodically updating a secret. When you rotate a secret, you update the credentials in both the secret and the database or service. You can periodically choose to rotate and update a new key within the Parameter Store.
Log into your management console and navigate to the Organization for which you wish to add rotate keys. Click the gear icon on the top navigation bar.
Click Druva Cloud to be directed to the Storage and Encryption page.
Click Rotate Keys to rotate the secret and update credentials within the Parameter Store.
β
If you have multiple Authorizations defined, you may choose to Delete an authorization. Ensure that you have at least one authorization within an Organization.
β
Next steps
Once you authorize encryption to enable access to and manage your data encryption key (ekey), you may want to set up a backup policy to automate your data protection strategy and manage the backup schedules and retention. Once defined, backup policies can be executed across AWS accounts at the organization level and set to Active or disabled, depending on business requirements. For more information, see Set up backup policy for EC2 Airgap Backup.