Bring Your Own Key (BYOK) encryption

Clumio SecureVault backups encrypted by a CMK deployed in the KMS service of a customer's AWS account. When the Bring Your Own Key (BYOK) Encryption feature is enabled, Clumio uses your CMK to encrypt Clumio SecureVault backups. 

BYOK is supported for:

  • EBS
  • EC2
  • M365 (Exchange, OneDrive, Sharepoint)
  • VMs (VMWare and VMC)
  • S3
  • RDS
  • DynamoDB
  • SQL on EC2
  • SQL on VMC

Enabling (BYOK) encryption

Prerequisites

  • You must connect at least one AWS account and region to Clumio.
  • You must first create a Customer Master Key (CMK) using your AWS account.
  • You must deploy the CMK key using Clumio CFT/TF stack in the same region as your Clumio control plane region.

NOTE: To enable BYOK encryption using Terraform, refer to the following page.


Create a CloudFormation stack that includes a key.

  1. To add your own encryption key, on the Clumio platform, navigate to Administration > Encryption Key > Add Your Own Encryption Key. If you have not yet set up BYOK, the Add Your Own Encryption Key button is available. After the feature is enabled, the Settings > Encryption Key page only contains a notice that the feature is enabled and all relevant backups will be encrypted using this feature. It also displays details about the account associated with the encryption key, the key ID, and the Clumio role associated with the key.
  2. Type the AWS account number in which you want to create the CMK.
  3. Confirm that you understand that if you delete the CMK or the associated AWS account, you will not be able to access your backed-up data.
  4. Confirm that you understand that after you enable this feature, your CMK and AWS account cannot be changed. Click Next.
  5. Click Launch Quick Create Stack Wizard, this will launch the AWS console. Or click Create CloudFormation Template manually.

Launch Quick Create stack wizard

  1. If you chose to launch the quick create stack wizard, in AWS create the CloudFormation stack.
    The stack template requires the following 4 parameters:
    • RoleName: This is an optional parameter and defaults to ClumioKMSRole. A role with this name will be created to manage the CMK.
    • ExternalId: This can be any alpha-numeric string between 8 and 128 characters long and can include some special characters like +=,.@:/-. A random UUID is always a good choice.
    • ClumioToken: The token created by Clumio for the BYOK setup.
    • UserMultiRegionCMKKeyId: This is an optional parameter and defaults to an empty string. You can use the ID of an existing multi-region CMK that you want to use as the BYOK, instead of having the stack create a new one. The CMK must be in the same account and region where the stack is being deployed and must be a primary key, not a replica.
  2. The stack creates a new role to manage the BYOK and may create a new multi-region CMK if needed.

Create CloudFormation stack manually.

  1. Copy the values from the options into the corresponding fields:
    • AWS CloudFormation Template: The Clumio CloudFormation template YAML file. This template includes all of the parameters needed to create the CloudFormation stack for the account and specified AWS account region. This value will be pasted into the Amazon S3 URL field when creating the CloudFormation stack.
    • Token: The 36-character Clumio AWS integration ID token used to identify the installation of the CloudFormation template on the account. This value will be pasted into the ClumioToken field when creating the CloudFormation stack.
    • Clumio's AWS Account ID: The connected Clumio account ID.
  2. Paste the AWS CloudFormation Template URL you copied from into the Amazon S3 URL field.
    The stack template requires the following 4 parameters:
    • RoleName: This is an optional parameter and defaults to ClumioKMSRole. A role with this name will be created to manage the CMK.
    • ExternalId: This can be any alpha-numeric string between 8 and 128 characters long and can include some special characters like +=,.@:/-. A random UUID is always a good choice.
    • ClumioToken: This is the token created by Clumio for the BYOK setup.
    • UserMultiRegionCMKKeyId: This is an optional parameter and defaults to an empty string. You can use the ID of an existing multi-region CMK that you want to use as the BYOK, instead of having the stack create a new one. The CMK must be in the same account and region where the stack is being deployed and must be a primary key, not a replica.
  3. The stack creates a new role to manage the BYOK and may create a new multi-region CMK if needed.

Note: If you have any backups that were created before you enabled BYOK encryption, those existing backups will not be re-encrypted with the new CMK. Any existing backups will remain encrypted using Clumio's default encryption keys. Once enabled, the CMK and its associated AWS account cannot be changed.


IMPORTANT: If you delete a CMK or its associated AWS account, your backup data in Clumio becomes permanently irretrievable!

For information about lost or deleted keys, see Lost CMK Keys.

Multi-Region backup using BYOK encryption

Clumio’s BYOK encryption provides support for multi-region backup encryption by default. The CloudFormation template uses stack sets to create keys for each region.

Migrating from the legacy BYOK encryption feature

If you have already enabled the earlier version of the BYOK feature and you want to use the new BYOK feature capabilities, you must upgrade your CloudFormation template to the latest version. You will be prompted to upgrade your stack set, click yes and the new feature will be enabled. Backups encrypted using the previous version of the BYOK feature will remain encrypted using the previous key. It is essential that you retain the previous key to retain access to your backups.