Data Storage and Encryption with BYOK, BYOKMS, and BYOKV for Recover

    For Own customers BYOK, BYOKMS, or BYOKV enabled, their backup data is stored within Own's own S3 Bucket or Azure storage account. For S3, each tenant has their own entity within the bucket, separated from other entities. For Azure, each organization has their own container within the storage account, separated from other containers. These are encrypted with Own’s encrypted key.

    Bring Your Own Key

    Bring Your Own Key (BYOK) for Recover allows customers to create their own encryption keys to add an additional layer of security to their data. Once BYOK is enabled and an encryption key is activated and added to a Recover service, their data is moved to a dedicated bucket/storage account encrypted at rest with the key. Once the data is copied over, the original client entity in the Own S3 bucket/Azure storage account is deleted. Once completed, the customer’s data is officially only accessible with their own encryption key.

    Backups and other jobs are not impaired during this process.

    NOTE: The process of moving data from the Own storage to the customer encrypted storage takes time, depending on the amount of existing data. Until the migration is complete, the data still exists within the Own storage, where it is encrypted with Own’s key.

    Key Rotation

    Customers can later archive their key and replace it with another encryption key. When a new encryption key is provided, the client S3 bucket/Azure storage account is redirected to the new encryption key.

    For customers using BYOK, they upload their wrapped encryption key to Own and the S3 bucket/Azure storage account is redirected to the new key.

    For customers using BYOKMS, rotating their key automatically redirects their S3 bucket.

    BYOKMS customers can also rotate their KMS, which would involve uploading new key ID and key alias ARNs.

    Key Revocation

    Active encryption keys can also be revoked, resulting in immediate inaccessibility to the underlying data.

    BYOK customers can revoke their key through the Own application, while BYOKMS customers can revoke their key through their own KMS.

    BYOK vs. BYOKMS vs. BYOKV

    Bring Your Own Key

    With Bring Your Own Key (BYOK) the customer provides Own with their encryption key for use encrypting their own data.

    The customer is provided with Own’s Public Key which is used to wrap the customer’s encryption key before uploading it to Own. This allows the customer to provide Own their key without exposing it.

    Rotating their key requires repeating the process of wrapping the key and uploading it to Own.

    To generate and wrap an encryption key, see:

    Bring Your Own Key Management Service

    With Bring Your Own Key Management Service (BYOKMS) the customer manages their keys within their own key management service, only providing Own with a key ID and an alias to encrypt their data. These allow Own to create a bucket encrypted with the key without sending the actual key to Own, providing access to it, or exposing it.

    WARNING: Own cannot be responsible for weak keys, keys generated on a compromised machine, or keys moved through insecure media - all of which weaken the security of the stored data.

    Bring Your Own Key Vault

    With Bring Your Own Key Vault (BYOKV) the customer manages their keys within their own Azure Key Vault. By installing the Own Enterprise application in their Azure account and assigning their key a role assignment to the application, Own can create a storage account encrypted with the key without sending the actual key to Own, providing access to it, or exposing it.

    « Previous ArticleNext Article »