Encryption

By default, all data that is backed up by Clumio is encrypted using a Customer Master Key (CMK) generated and managed in the Clumio cloud. The CMK is used to generate new data encryption keys every 30 days and is used to encrypt customer data while the data is backed up, and while it is stored. The data encryption keys also decrypt the data when you do a restore.

Bring Your Own Key Encryption (BYOK)

For additional security and compliance needs, you can encrypt backup data stored in Clumio with a CMK using AWS KMS to create and manage your own key in your AWS account (BYOK). This gives you the ability to control and monitor access to your stored backup data. You can use AWS CloudTrail to audit Clumio’s access to your AWS CMK and backup data.

  • Once you enable this feature, Clumio creates a new CMK in your AWS account and encrypts all backups of S3, RDS, and DynamoDB using your AWS CMK (BYOK) only.
  • All new backups of EC2/EBS, Microsoft 365, and VMware Cloud are encrypted using a combination of your new AWS CMK and the Clumio-managed CMK.

Enabling (BYOK) encryption
Prerequisites

To enable BYOK encryption,

  • You must connect at least one AWS account and region to
  • You must first create a Customer Master Key (CMK) using your AWS account. Create a CloudFormation stack that includes a key.
    1. To add your own encryption key, click Settings > Encryption Key > Add Your Own Encryption Key. If you have not yet set up BYOK, the Add Your Own Encryption Key button is available. After the feature is enabled, the Settings > Encryption Key page only contains a notice that the feature is enabled and all relevant backups will be encrypted using this feature. It also displays details about the account associated with the encryption key, the key ID, and the Clumio role associated with the key.
    2. Type the AWS account number that you want to use to create the CMK.
    3. Confirm that you understand that, if you delete the CMK or the associated AWS account, you will not be able to access your backed-up data.
    4. Confirm that you understand that after you enable this feature, your CMK and AWS account cannot be changed.
    5. Click Next.
    6. Click Launch Quick Create Stack Wizard, this will launch the AWS console. Or click Create CloudFormation Template manually.

Create stack wizard

  1. If you chose to launch the quick create stack wizard, in AWS create the CloudFormation stack.
    The stack template requires the following 4 parameters:
    RoleName: This is an optional parameter and defaults to ClumioKMSRole. A role with this name will be created to manage the CMK.
    ExternalId: This can be any alpha-numeric string between 8 and 128 characters long and can include some special characters like +=,.@:/-. A random UUID is always a good choice.
    ClumioToken: This is the token created by Clumio for the BYOK setup.
    UserMultiRegionCMKKeyId: This is an optional parameter and defaults to an empty string. You can use the ID of an existing multi-region CMK that you want to use as the BYOK, instead of having the stack create a new one. The CMK must be in the same account and region where the stack is being deployed and must be a primary key, not a replica.
  2. The stack creates a new role to manage the BYOK and may create a new multi-region CMK if needed.

Create CloudFormation stack manually.

  1. Copy the values from the options into the corresponding fields:
    AWS CloudFormation Template: The Clumio CloudFormation template YAML file. This template includes all of the parameters needed to create the CloudFormation stack for the account and specified AWS account region. This value will be pasted into the Amazon S3 URL field when creating the CloudFormation stack.
    Token: The 36-character Clumio AWS integration ID token used to identify the installation of the CloudFormation template on the account. This value will be pasted into the ClumioToken field when creating the CloudFormation stack.
    Clumio's AWS Account ID: The connected Clumio account ID.
  2. Paste the AWS CloudFormation Template URL you copied from into the Amazon S3 URL field.
    The stack template requires the following 4 parameters:
    • RoleName: This is an optional parameter and defaults to ClumioKMSRole. A role with this name will be created to manage the CMK.
    • ExternalId: This can be any alpha-numeric string between 8 and 128 characters long and can include some special characters like +=,.@:/-. A random UUID is always a good choice.
    • ClumioToken: This is the token created by Clumio for the BYOK setup.
    • UserMultiRegionCMKKeyId: This is an optional parameter and defaults to an empty string. You can use the ID of an existing multi-region CMK that you want to use as the BYOK, instead of having the stack create a new one. The CMK must be in the same account and region where the stack is being deployed and must be a primary key, not a replica.
  3. The stack creates a new role to manage the BYOK and may create a new multi-region CMK if needed.

Note: If you have any backups that were created before you enabled BYOK encryption, those existing backups will not be re-encrypted with the new CMK. Any existing backups will remain encrypted using Clumio's default encryption keys. Once enabled, the CMK and its associated AWS account cannot be changed.

IMPORTANT: If you delete a CMK or its associated AWS account, your backup data in Clumio becomes permanently irretrievable!

Refer to the following article for more information about BYOK encryption in Clumio.

Multi-Region backup using BYOK encryption

Clumio’s BYOK encryption provides support for multi-region backup encryption by default. The CloudFormation template uses stack sets to create keys for each region.

Migrating from the legacy BYOK encryption feature

If you have already enabled the earlier version of the BYOK feature and you want to use the new BYOK feature capabilities, you must upgrade your CloudFormation template to the latest version. You will be prompted to upgrade your stack set, click yes and the new feature will be enabled. Backups encrypted using the previous version of the BYOK feature will remain encrypted using the previous key. It is essential that you retain the previous key to retain access to your backups.