Encryption

All data backed up by Clumio is encrypted by default using a Customer Master Key (CMK) that is generated and managed within Clumio's secure cloud infrastructure. For customers seeking more control over their encryption, Clumio offers a Bring Your Own Key (BYOK) feature, enabling the use of customer-managed encryption keys to secure backup data.

The CMKs used for both backup encryption and restore decryption are safely stored within Clumio's environment. Clumio ensures ongoing data protection by periodically generating new data encryption keys or utilizing AWS's automatic key rotation to update cryptographic material. These same keys are employed for data decryption during restore operations.

Bring Your Own Key (BYOK) Encryption

For further security and compliance, Clumio allows customers to create and manage their own CMK through AWS KMS within their AWS account. This customer-managed key remains in the customer's AWS account, offering full control and monitoring capabilities over encrypted backup data. Additionally, AWS CloudTrail can be used to audit and track Clumio's access to both the CMK and the corresponding backup data. Learn more about auditing access here.

It's important to note that enabling BYOK applies only to future backups—existing backups are not re-encrypted with the newly provided CMK. Additionally, changing the CMK after setup is not supported. If an existing CMK is replaced, Clumio will be unable to decrypt any backups that were encrypted using the old key.

Details about KMS pricing can be found at https://aws.amazon.com/kms/pricing/.