Bring Your Own Key Step by Step Activation

In order to enable Bring Your Own Key (BYOK) in the Own application, the platform requires a Base64 formatted string of a 256-bit secret, that is encrypted with the Own region-specific certificate, and a Base64 formatted string of the SHA-256 digest of the same 256-bit secret.

BYOK for Azure

The following procedure is for activating BYOK for Azure. For the procedure for BYOK for AWS, see here.

Download the Sample Script

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

   

3. Select the Key Management tab. The following screen appears:
   
    
4. Click Set Up BYOK... The following dialog window appears:
   
5. This window also contains instructions on how to download the Own public key, as well as the actual script that helps you generate a 256-bit key and key hash. Click Download Public Key. This will download our public key.
6. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script to generate the required information.

Generate Key and Passphrase on MacOS

To generate the key and passphrase, do the following:

1. Open the terminal app, and modify the script file properties to be executable, by changing the text to:
   chmod +x secretgen-macos.sh
2. Run the script as sudo along with the certificate:
   ./secretgen-macos-azure.sh akm_azure_ob_public.key

Generate Key and Passphrase on Linux OS

To generate the key and passphrase, do the following:

1. Download GIT for Windowshere.
2. Install GIT on Windows using the installation wizard. Choose the default in all the steps. 

3. Once GIT is installed, open the git-bash application.

4. Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to:

   chmod +x secretgen-linux.sh

5. Navigate to the directory where the 2 downloaded files are located (the sample script and relevant crt)
6. In git-bash, launch the script. Make sure to have a  ./  before the script and the crt target:

For example:

./secretgen-linux-azure.sh akm_azure_ob_public.key

Uploading the Key & Passphrase

1. After running the script, the terminal app generates the key file. The key file is saved as encrypted_secret.bin.

4. In the Bring Your Own Key dialog, click Browse... under next to the Wrapped Encryption Key field. Select and upload the generated key file. 
5. Copy the text string under the Encrypted Passphrase line from the terminal app, and paste it into the Encrypted Passphrase field in the dialog window.

6. Click Validate Key.

7. If the key is valid, a Completed Successfully message will appear in the dialog window:
   

8. Click Activate.

9. Your key should appear in the table in resource creation status:
   

What Happens after Uploading the Key and Passphrase?

If the key supplied does not match the passphrase entered, the master encryption key activation is canceled. Subsequently, an Own Support case is opened for you, and an email confirming the case is sent.

Upon successful verification of the validity of the uploaded key against the passphrase supplied, your Own account data is moved to a newly-created volume/bucket encrypted with that master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process.

BYOK for AWS

The following procedure is for activating BYOK for AWS. For the procedure for BYOK for Azure, see here.

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab. The following screen appears:
   
5. Click Set Up BYOK... The following dialog window appears:
   
6. This window also contains instructions on how to download the Own public key, as well as the actual script that helps you generate a 256-bit key and key hash. Click Download Public Key. This will download our public key.
7. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script to generate the required information.

Generate Key and Hash on MacOS 

To generate the key and hash on a Mac-based machine, follow the instructions below:

1. Open the terminal app, and modify the script file properties to be executable, by changing the text to: chmod +x secretgen-macos.sh
2. Run the script as sudo along with the key:
   ./secretgen-macos.sh akm_aws_ob_public.key

Generate Key and Hash on Linux OS and Windows-based machines

To generate the key and hash, do the following:

1. Download GIT for Windows here.
2. Install GIT on Windows, using the installation wizard. Choose the default in all the steps. 

3. Once GIT is installed, open the git-bash application.
4. Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to: 

chmod +x secretgen-linux.sh

3. Navigate to the directory where the 2 downloaded files are (sample script and relevant crt)
4. In gitbash, launch the script, making sure to have a ./ before the script and crt target:

For example:
./secretgen-linux.sh akm_aws_ob_public.key

Uploading the Key and Key Hash

After running the script, the terminal app generates the key file. The key file is saved as encrypted_secret.bin.

1. In the Bring Your Own Key dialog, click Browse... under next to the Wrapped Encryption Key field. Select and upload the generated key file. 
2. Copy the text string under the Key Hash line from the terminal app, and paste it into the Key Hash field in the dialog window.

3. Click Validate Key.

4. If the key is valid, a Completed Successfully message will appear in the dialog window:
   

5. Click Activate.

6. Your key should appear in the table in resource creation status:
   

What Happens after uploading the Encrypted Encapsulated Key and Key Hash?

After clicking Activate, your Own account data is moved to a newly-created volume/bucket encrypted with that AES256 bit master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process. Please take into account further time may be required for any migration of historical data, depending on the amount of data per account.

Rotating a Key

As part of your company's compliance, you may need to rotate the key from time to time. To do that, select the Archive Current Key and Create New Key... or Revoke button. This re-encrypts the volumes with the new key after it's validated on the platform. This does not impact active backups during that time.

Revoking an Active Master Encryption Key

When revoking a master encryption key, all access to data is immediately blocked; running backups and jobs fail to complete, and future backups do not happen. More importantly, all data is rendered inaccessible unless the previously active key is uploaded again.

Here are the steps to revoke an active master encryption key:

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab.

5. Click Revoke. A dialog window appears:
   

6. To confirm the revocation, manually type the word "revoke" in the text field and click Revoke.

7. The following screen will appear: