All data that is backed up by Clumio is encrypted by default using a Customer Master Key (CMK) generated and managed in the Clumio cloud. The CMK is used to generate new data encryption keys every 30 days and is used to encrypt customer data while the data is backed up, and while it is stored. The data encryption keys also decrypt the data when you perform a restore.

Data encryption keys

Clumio leverages the CMK to generate the Data Encryption Key (DEK) through a cross-account IAM role. This role is created and assigned to the CMK Key Policy during the initial CloudFormation template deployment process.

Manually changing the CMK is not supported. Clumio encrypts backup data using the KMS keys created by the Clumio service CloudFormation template. Clumio rotates the data encryption keys (DEK) every 30 days to ensure that they do not use only one key for data encryption. Clumio does not support the ability for users to change the CMK configured for encrypting Clumio backups. If you replace an existing CMK, Clumio cannot decrypt existing backups that were encrypted using that key.

All actions performed by Clumio on this CMK are audited and logged in the customer's CloudTrail service. For more information on monitoring these logs in CloudTrail, click here.

AWS does not permit moving a CMK between accounts. However, you can set a single CMK to be readable by multiple accounts by following the process here. As long as Clumio has access to that same CMK, backup and restore operations will continue to work.

Details about KMS pricing can be found at https://aws.amazon.com/kms/pricing/.

Bring your own key (BYOK) encryption

For additional security and compliance needs, you can encrypt backup data stored in Clumio with a CMK using AWS KMS to create and manage your own key (BYOK) in your AWS account. This gives you the ability to control and monitor access to your stored backup data. You can use AWS CloudTrail to audit Clumio’s access to your AWS CMK and backup data.

  • Once you enable this feature, Clumio creates a new CMK in your AWS account and encrypts all backups of S3, RDS, and DynamoDB using your AWS CMK (BYOK) only.
  • All new backups of EC2/EBS, Microsoft 365, and VMware Cloud are encrypted using a combination of your new AWS CMK and the Clumio-managed CMK.

NOTE: Enabling BYOK does not re-encrypt previous backups.

When you set up the BYOK feature, Clumio does not re-encrypt the previous backups with your newly configured CMK. Only new backups performed after enabling the feature are encrypted using the BYOK CMK.  The old backups will continue to remain encrypted and usable with Clumio's default encryption keys.