Loading
Feature degradation | Gmail Email delivery failureRead More
Own from Salesforce
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Bring Your Own Key Vault for Backup & Recover

            You are here:

            1. Salesforce Help
            2. Docs
            3. Own from Salesforce

            Bring Your Own Key Vault for Backup & Recover

            Install the enterprise application to store your data using your Azure Key Vault. This gives you sole access and management capabilities of the key used to encrypt the storage account where your data is stored. Bring Your Own Key Vault (BYOKV) is an enhancement to Bring Your Own Key (BYOK).

            By default, we manage keys and secrets required to encrypt and decrypt the stored objects. However, if you need more control over these keys: Importing, revoking, rotating, etc. you can configure to use a Key Vault under your Azure account.

            Once BYOKV is enabled, it can't be disabled.

            In order to encrypt the storage account with an encryption key managed in your Key Vault, the Own Enterprise application must be installed in your Azure account and granted a role to use the key.

            The application ID is: f5dc00c6-8d8e-44b0-a813-bd92dc9624b5

            To install the Own Enterprise application run an az ad sp create command in Azure CLI. 

            az ad sp create --id f5dc00c6-8d8e-44b0-a813-bd92dc9624b5

            Create a Key Vault and Key

            Create a key vault and key in Microsoft Azure.

            For information on creating key vaults and keys, refer to the Azure documentation on Configuring cross-tenant customer-managed keys.

            1. Create a Key Vault:
              1. Log into your Azure account and navigate to Key vaults.
              2. Click Create.
              3. Complete the Project details. Selecting a region is not correlated to the region of your Own account.
                When creating your key vault, the most important step in this process is to enable the Purge Protection setting.
              4. Click Next.
              5. Under Permission model, select Azure role-based access control.
              6. Click Review + create.
            2. To create a Key in your Azure Key Vault:
              1. On the Key Vault properties page, select Keys.
              2. Select Generate/Import.
              3. On the Create a key screen, specify a name for the key.

            If you have IPs allowlisted, navigate to the key vault's Networking settings, under the Exception section, enable Allow Trusted Microsoft Services to bypass this firewall.

            Grant the Enterprise Application a Role

            By default, new key vaults use Azure Role Based Access Controls as their permission model. This is Microsoft's recommended permission model and we assume this is the permission model of the key vault.

            If you have not yet created the key vault and key you intend to use for your Own data, you first need to create them.

            1. Select the key vault you intend to use.
            2. Click Access control (IAM).
            3. Open the Role assignments tab.
            4. Click Add.
            5. Select Key Vault Crypto Service Encryption User from the list of Job function roles. Click Next.
            6. Click Select Members. In the Select search field, search for the Own Enterprise application. Click on it. It will appear in the Selected members area beneath the search field. Click Select. It will appear in the Members list.
            7. Click Review + assign.

            Enable Bring Your Own Key Vault (BYOKV)

            If you have BYOK available in your plan, you can enable BYOKV.

            For newly created accounts, you must wait at least 10 minutes before attempting to add BYOKV, otherwise the activation may fail.

            1. Sign in to your account as the account’s owner.
            2. At the top right of the screen, click on your email address.
            3. In the drop-down menu, select Account Settings.
            4. Select the Key Management tab.
            5. Click Set Up BYOKV... A Bring Your Own KeyVault message appears instructing you how to grant access to the Azure Key Vault.
            6. Enter the Key you wish to use.
              Backup & Recover doesn't explicitly make use of the key version. Creation of a new key version will automatically re-encrypt the data within 24 hours.
            7. Click Activate.
              Your Key Vault should appear in the table in resource creation status.

            Automatic Key Rotation in Key Vault

            You can automate the key rotation process in Azure.

            We recommend applying their default settings. See Configure cryptographic key auto-rotation in Azure Key Vault.

            Important
            Important Deleting archived keys will result in loss of access to data.
            1. In the Create a key page, navigate to Set key rotation policy and click Not configured.
            2. In the Rotation policy, click Enable auto rotation and select the Automatically renew at a given time after creation option. The default rotation time is set to 18 months.
            3. After key rotation, wait at least 24 hours before deleting or disabling the previous key.

            Migrate from BYOKV to BYOK

            Own offers a Bring Your Own Key (BYOK) option, where you can provide the encryption key used to manage your data. However, the key itself is stored and managed by Own within its key vault. Similar to BYOKV, your data is stored in a dedicated storage account and encrypted at rest with your key.

            The length of the migration process depends on the amount of data you have backed up and can take several weeks. Once the switch has started, it can't be stopped.

            All data is still accessible and encrypted throughout the migration process.

            Migration can only be done 48 hours after BYOKV was activated.

            1. Sign in to your account as the account’s owner.
            2. At the top right of the screen, click on your email address.
            3. In the drop-down menu, select Account Settings.
            4. Select the Key Management tab.
            5. Click the three dots menu, and select Switch to BYOK.
              A warning message will appear.
            6. Accept and click Switch. The key will be in Activating... status in the table.
             
            Loading
            Salesforce Help | Article