Set Up and Manage Bring Your Own Key for Recover (AWS)

Download the Own Public Key

Once BYOK is enabled, it can't be disabled.

Note

For newly created accounts, you must wait at least 10 minutes before attempting to add BYOK, otherwise the validation check can fail.

1. Log in to your Own account as the account owner.
2. At the top right of the screen, click on your username.
3. In the drop-down menu, select Account Settings.
4. Select the Key Management tab.
5. Click Set Up BYOK....
6. In the dialog box that appears, click Download Public Key.

Generate an Encrypted Encapsulated Key and Key Hash Using the Sample Script

We provide a sample script which creates a random AES256bit master encryption key, hashes it, and encapsulates it, i.e. encrypts it via our public key. The base64 encoded encapsulated master key and the base64 encoded SHA-256 hash are outputted for uploading to our application. The script is available for Linux and macOS, and you can download it from the same place you previously downloaded the certificate.

Note

We can't be responsible for weak keys, keys made on a hacked machine, or keys moved through unsafe media. These all make the stored data less secure.

1. Log in to your account as the account’s owner.
2. At the top right of the screen, click on your email address.
3. In the drop-down menu, select Account Settings.
4. Select the Key Management tab.
5. Click Set Up BYOK...
6. In the dialog window that appears, click Download Public Key.
7. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script and generate the required information.

Generate Key and Hash on MacOS

Generate the key and hash on a Mac-based machine.

1. Open the terminal app, and modify the script file properties to be executable, by changing the text to: chmod +x secretgen-macos.sh
2. Run the script as sudo along with the certificate: ./secretgen-macos.sh akm_aws_ob_public.key

Generate Key and Hash on Linux OS

Generate the key and hash on a Windows-based machine.

1. Download GIT for Windows from https://git-scm.com/downloads/win.
2. Install GIT on Windows using the installation wizard. Choose the default in all the steps.
   It's important to select OpenSSL library.
3. Once GIT is installed, open the git-bash application.
4. Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to: chmod +x secretgen-linux.sh
5. Navigate to the directory where the two downloaded files are located (the sample script and relevant .crt).
6. In git-bash, launch the script. Make sure to have a ./ before the script and the .crt target: For example: ./secretgen-linux.sh akm_aws_ob_public.key

Upload the Encrypted Encapsulated Key and Key Hash

1. After running the script, the terminal app generates the key and key hash. The key file is saved as encrypted_secret.bin, while the key hash appears in the displayed output, similar to the following:

   Key Hash:

   eKbdd1mVMXnN2ePiSKsLHfkbnxK0PjDVqkWXy0IZAMc=

2. Sign in to your account as the account’s owner.
3. At the top right of the screen, click on your email address.
4. In the drop-down menu, select Account Settings.
5. Select the Key Management tab.
6. Click Set Up BYOK.... The Bring Your Own Key dialog window appears.
7. Click Browse... next to the Wrapped Encryption Key field. Select and upload the encrypted_secret.bin key file generated by the script.
8. Copy the text string under the Key Hash line from the terminal app, and paste it into the Key Hash field in the dialog window.
9. Click Validate Key.

   For newly created accounts, you must wait at least 10 minutes before attempting to add BYOK, otherwise the validation check can fail.

   If the key is valid, a Completed Successfully message will appear in the dialog window:

10. Click Activate.
11. Your key should appear in the table in the resource creation status.
    After clicking Activate, your Own account data is moved to a newly created volume/bucket encrypted with that AES256-bit master encryption key. Jobs and backups that were in progress might be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you'll receive a notification email. Consider further time might be required for any migration of historical data, depending on the amount of data per account.

Rotate the Master Encryption Key

1. To rotate the master encryption key, navigate to the Key Management tab, click the three dots menu, then Rotate.
2. Repeat the upload steps with the new Encrypted Encapsulated Key and Key Hash.

Revoke an Active Master Encryption Key

1. Log in to your Own account as the account owner.
2. At the top right of the screen, click on your email address.
3. In the drop-down menu, select Account Settings.
4. Select the Key Management tab.
5. Click the three dots menu, then Revoke (delete permanently).
   A dialog window appears.
6. To confirm the revocation, manually type the word "revoke" in the text field and click Revoke.
   The Key Management screen displays the information that the key has been revoked.

Migrate from BYOK to BYOKMS

With Bring Your Own Key Management Service (BYOKMS), you maintain full control over your keys within your own key management service. You simply provide Own with a key ID and an alias to encrypt your data. This approach ensures that Own can create an encrypted bucket using your key without ever handling, accessing, or exposing the actual key.

The length of the migration process is dependent on the amount of data you have backed up and can take several weeks. Once the switch has started, it can't be stopped.

All data is still accessible and encrypted throughout the migration process.

Note

Migration can only be done 48 hours after BYOK was activated.

1. Sign in to your account as the account’s owner.
2. At the top right of the screen, click on your email address.
3. In the drop-down menu, select Account Settings.
4. Select the Key Management tab.
5. Click the three dots menu, then Switch to BYOKMS.
   A warning message will appear.
6. Accept and click Switch. The key will be in Activating... status in the table.