For Own customers without BYOK or BYOKMS enabled, their backup data is stored within Own's own S3 Bucket or Azure storage account. For S3, each tenant has their own entity within the bucket, separated from other entities. For Azure, each organization has their own container within the storage account, separated from other containers. These are encrypted with Own’s encrypted key.
Bring Your Own Key (BYOK) for Recover allows customers to create their own encryption keys to add an additional layer of security to their data. Once BYOK is enabled and an encryption key is activated and added to a Recover service, their data is moved to a dedicated bucket/storage account encrypted at rest with the key. Once the data is copied over, the original client entity in the Own S3 bucket/Azure storage account is deleted. Once completed, the customer’s data is officially only accessible with their own encryption key.
Backups and other jobs are not impaired during this process.
Customers can later archive their key and replace it with another encryption key. When a new encryption key is provided, the client S3 bucket/Azure storage account is redirected to the new encryption key.
For customers using BYOK, they upload their wrapped encryption key to Own and the S3 bucket/Azure storage account is redirected to the new key.
For customers using BYOKMS, rotating their key automatically redirects their S3 bucket.
BYOKMS customers can also rotate their KMS, which would involve uploading new key ID and key alias ARNs.
Active encryption keys can also be revoked, resulting in immediate inaccessibility to the underlying data.
BYOK customers can revoke their key through the Own application, while BYOKMS customers can revoke their key through their own KMS.
With Bring Your Own Key (BYOK) the customer provides Own with their encryption key for use encrypting their own data.
The customer is provided with Own’s Public Key which is used to wrap the customer’s encryption key before uploading it to Own. This allows the customer to provide Own their key without exposing it.
Rotating their key requires repeating the process of wrapping the key and uploading it to Own.
To generate and wrap an encryption key, see:
For AWS: Generating an Encrypted Encapsulated Key and Key Hash
For Azure: Generating an Encrypted Key and Passphrase
With Bring Your Own Key Management Service (BYOKMS) the customer manages their keys within their own key management service, only providing Own with a key ID and an alias to encrypt their data. These allow Own to create a bucket encrypted with the key without sending the actual key to Own, providing access to it, or exposing it.