In order to enable Bring Your Own Key (BYOK) in the Own application, the platform requires a Base64 formatted string of a 256-bit secret, that is encrypted with the Own region-specific certificate, and a Base64 formatted string of the SHA-256 digest of the same 256-bit secret.
The following procedure is for activating BYOK for Azure. For the procedure for BYOK for AWS, see here.
Log in to your Own account as the account’s owner.
At the top right of the screen, click on your email address.
To generate the key and passphrase, do the following:
Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to:
chmod +x secretgen-linux.sh
For example:
./secretgen-linux.sh akm_azure_ob_public.key
After running the script, the terminal app generates the key file. The key file is saved as encrypted_secret.bin.
Click Validate Key.
If the key is valid, a Completed Successfully message will appear in the dialog window:
Click Activate.
Your key should appear in the table in resource creation status:
If the key supplied does not match the passphrase entered, the master encryption key activation is canceled. Subsequently, an Own Support case is opened for you, and an email confirming the case is sent.
Upon successful verification of the validity of the uploaded key against the passphrase supplied, your Own account data is moved to a newly-created volume/bucket encrypted with that master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process.
The following procedure is for activating BYOK for AWS. For the procedure for BYOK for Azure, see here.
In the drop-down menu, select Account Settings.
To generate the key and hash on a Mac-based machine, follow the instructions below:
Generate Key and Hash on Linux OS and Windows-based machines
To generate the key and hash, do the following:
For example:./secretgen-linux.sh akm_aws_ob_public.key
After clicking Activate, your Own account data is moved to a newly-created volume/bucket encrypted with that AES256 bit master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process. Please take into account further time may be required for any migration of historical data, depending on the amount of data per account.
As part of your company's compliance, you may need to rotate the key from time to time. To do that, select the Archive Current Key and Create New Key... or Revoke button. This re-encrypts the volumes with the new key after it's validated on the platform. This does not impact active backups during that time.
When revoking a master encryption key, all access to data is immediately blocked; running backups and jobs fail to complete, and future backups do not happen. More importantly, all data is rendered inaccessible permanently.
Here are the steps to revoke an active master encryption key:
Select the Key Management tab.
Click Revoke. A dialog window appears:
To confirm the revocation, manually type the word "revoke" in the text field and click Revoke.
The following screen will appear: