Enterprise Key Management for Microsoft 365

Enterprise Key Management allows you to use keys from your AWS KMS account to encrypt and decrypt your data.

Updated over a week ago

❗ Important

Enterprise Key Management is under controlled availability. To enable this feature for your account, contact Druva Support.


As part of cloud assets protection, Druva backs up customer data on Druva AWS instances, separating from source data. Historically, this data is encrypted using the Druva Key Management Service.

If your organizational policies require complete control over the encryption of the data backed up by Druva, Enterprise Key Management is the solution for you. With Enterprise Key Management, you can use keys from your AWS Key Management Service (KMS) account to encrypt and decrypt your data. It adds an extra layer of security to Druva's default encryption.

Enterprise Key Management is available upon request. This feature is also called Bring Your Own Key (BYOK).

Contact Druva Support to enable this feature for your account.

Supported Products

  • Microsoft 365

  • Google Workspace

  • Microsoft Entra ID (Roadmap for August 2024)

Supported Keys

  • Customers can host their keys in their own AWS Key Vault.

  • Customer keys hosted in non-AWS environments, including Microsoft Azure or Google Cloud, are not supported.


Enterprise Key Management provides the following security benefits:

  • Use the keys from your KMS account to encrypt and decrypt your data.

  • Easily manage your encryption keys within your AWS account: generate, revoke, rotate, and destroy them as needed.

  • Control access to data backed up by Druva.

  • Secure backed-up data.


Before enabling Enterprise Key Management for your account, take note of these critical considerations:

  • No turning back: Once you switch to Enterprise Key Management, you can't return to the default Cloud Key Management.


    When Switching Customer-Managed AWS KMS Keys

    During a transition to a new customer-managed AWS KMS key, do not deactivate the old customer-managed AWS KMS key until the new key has been fully integrated within the Druva Console. This ensures uninterrupted data access throughout the process.

  • Superior encryption: Enterprise Key Management takes precedence over Cloud Key Management. Enabling Enterprise Key Management will automatically disable Cloud Key Management for your account.


Before you start using Enterprise Key Management, make sure you have the following:

  • An AWS account with access to the Key Management Service (KMS) for managing customer master keys.

  • The Druva support team has activated your account's Enterprise Key Management configuration.
    Without this activation, you won't see the configuration fields on the Druva Console.

Supported Workflows

If the encryption key is revoked, the following workflows will fail:

  • Discovery

    • Org Apps - Manual or scheduled discovery for SharePoint, Teams, Groups, PublicFolder, and Teamdrive.

    • UserApps - Mapping configuration for AzureAD and GSuite, AzureAD sync, and Google user sync.

  • Workload Configuration

    • Discovered workloads cannot be configured for backup.

    • Workloads using E-key during configuration include Microsoft Teams, Microsoft Groups, SharePoint Online, Team Drive, and Public Folder.

  • Backup

    • Scheduled, manual, and bulk backups.

  • Downloads

    • Restore download, MDS download, PST and mBox download, PST URL download, UserPortal Download, and UserClient Download.

    📝 NOTE

    Legal hold (WebDAV) downloads are not supported; thus, they will not fail if the key is revoked.

  • Restore

    • In-place and restore as copy jobs are supported including Restore, Mds restore, UserPortal restore, and UserClient restore.

❗ Important

If an encryption key is used in a session and an operation has begun, and then the customer revokes access, any subsequent operations after the initial one will fail.

Enable Enterprise Key Management

Follow these steps to enable Enterprise Key Management for your organization:

Step 1: Copy Druva's AWS account ID from the Druva Console

Open the Druva console and navigate to Settings.

  1. Click Endpoints & SaaS Apps Settings.

  2. Copy your 12-digit Druva AWS account ID from the Enterprise Key Management section.

    Copy Druva's AWS account ID from the Druva Console
  3. Save this numeric value for the AWS KMS console.

Step 2: Get the key ARN from your AWS KMS account:

  1. Login to AWS KMS Console.

  2. Click Services in the menu, then search for KMS. The KMS page opens.

  3. Click Customer managed keys from the left pane. A list of managed keys is displayed.

  4. On the Key type page, click the Create key > Symmetric key.

  5. On the Add labels page, provide the key Alias used to identify the key and description, and click Next.

  6. Select one or more administrators who can control the key on the Key Administrators' page. The key administrator selected here can rotate and revoke the key you are about to generate.

  7. Select Allow key administrators to delete this key to enable the delete right for the administrators.

  8. On the next page, click Add another AWS account. A text box is displayed. This setting defines the account with which the AWS KMS must communicate to authenticate access to the backed-up data.

  9. Enter the 12-digit Druva AWS account ID copied from the Enterprise Key Management tab of the Druva Console.

  10. Click Next to review the key policy. The page displays the permissions available for the Druva account when it accesses the key during backups and restores.

  11. On the Review and edit key policy screen, type Allow under Allow use of the Key for Druva inSync.

  12. Click Finish. The new key is generated and displayed on the AWS KMS console.

  13. Click the key Alias on the console to view the key details. The General configuration details are displayed as below:

    The General configuration details are displayed as below:

  14. Copy the value displayed under ARN from the AWS KMS console. This key is required to enable the Enterprise Key Management on theDruva Console.

Step 3. Enable Enterprise Key Management from the Druva console

  1. From the settings page, go to Enterprise Key Management.

  2. Go to and select Enable Enterprise KeyManagement.The Enterprise key window appears.

  3. Copy the newly created AWS KMS key ARN into the Update KMS key ARN dialog box and click Next. The ARN is validated, and a confirmation message appears upon successful authentication.

  4. Click Save.

  5. Click Continue to review the legal terms and conditions for enabling Enterprise Key Management.

  6. Click Yes, I Agree. Enterprise Key Management gets enabled for your account.

  7. KMS key ARN is displayed on the Key Management tab, with External Cloud Key Management status as Enabled.

Update the Enterprise Encryption key

You may have to update the Enterprise Encryption key to comply with your organizational security policies. However, it is essential to note that you must keep the old and new encryption keys active in your AWS KMS service until you configure the new KMS key ARN on the Druva Console. This ensures all the required permissions are transferred from the old key to the new encryption key before the AWS KMS purges the old key.

To update the Enterprise Encryption key:

  1. Get the new KMS key ARN using the steps provided above.

  2. From the settings page, go to the Enterprise Key Management settings.

  3. Click Update KMS Key ARN.

  4. Copy the newly created KMS key ARN into the Update KMS key ARN dialog box and click Save. The KMS Key ARN, upon successful validation, is updated.

Did this answer your question?