All customer data is always encrypted, in transit, and at rest. We use an up-to-date TLS 1.x protocol for all control communications, including data transfer between Afi components, to ensure all traffic is encrypted. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.
You can learn more about security and privacy by visiting the page: https://afi.ai/compliance
In addition to Afi-managed data encryption, customers can use their own encryption keys (BYOK) for data at rest. Presently Afi supports Google KMS, AWS KMS, and Azure KMS.
Bring-Your-Own-Key (BYOK) is a best-practice solution to strengthen cloud backup security by using customer-managed encryption keys to encrypt backup data. Cloud Security Alliance (CSA) and NIST recommend using the BYOK approach as a way to increase security for data and reduce risks while working with cloud backup providers.
Why your organization needs a Bring-Your-Own-Key backup?
Afi Backup with BYOK can help you to solve the following problems:
- Comply with regulatory or contractual requirements and internal security policies. Encryption key self-management can be required or recommended by regulatory or contractual requirements, and the BYOK approach allows to satisfy these requirements with a minimal configuration on the user side.
- Increase control over your data and mitigate the risks. BYOK approach allows a client to suspend or revoke Afi access to backup data at any moment, giving you an additional level of control over your data and reducing security risks. Also, BYOK serves as a cryptographic data removal mechanism if you decide to terminate your account at any time for any reason.
How does Bring-Your-Own-Key encryption work with Afi?
Afi Backup provides an option to manage an encryption key on a user side using Google Cloud KMS (Key Management Service) or Amazon Web Services (AWS) KMS. When the BYOK feature is configured, the Afi Backup system will use the user's key to encrypt backup data, while the user maintains full control over the encryption key and can revoke access to backup data anytime.
Please note that if the encryption key is deleted, access to data will be lost, and it will not be possible to recover it.
You can disable all the key versions or revoke Afi service account access to the key at any time to make all your data inaccessible for Afi. Please note that disabling a key doesn't interrupt backup and recovery operations that started before the key was revoked.
How to configure Bring-Your-Own-Key encryption with Google Cloud KMS?
This section explains how to create a cryptographic key in Google Cloud KMS and grant access to this key to Afi Backup. The guide assumes that you have a Google Cloud Platform account with enabled billing.
Step 1 - Create a new project in your GCP organization (for example, afi-backup-byok).
You can also use one of your existing GCP projects, but it can make controlling your GCP resources more complicated.
Step 2 - Go to Key Management (KMS) in the selected GCP project and enable Cryptographic Keys API if it isn't enabled yet (type KMS in a search field at the top of the screen to locate it):
Step 3 - Create a new Key ring (for example, "afi-backup-keyring") with a "global" location. You can also specify the exact region where you want the key to be stored if you have such preferences.
Step 4 - Click on the Key ring from the previous step and create a KMS key there (for example, "afi-backup-key").
This screenshot shows the recommended settings for an encryption key:
Step 5 - Copy the key name by clicking on Copy Resource Name. This key name should be used in Step 7 to finish BYOK configuration on Afi side (key name example - projects/byok-test/locations/europe-west1/keyRings/afi-backup-keyring/cryptoKeys/afi-backup-key/cryptoKeyVersions/1).
Step 6 - Open the Permissions tab for the key and grant access for the Afi service account (storage-byok@afi-production.iam.gserviceaccount.com) with a Cloud KMS CryptoKey Encrypter/Decrypter role. If the Permissions tab is hidden, click on 'Show Info Panel' in the top-right corner of the page.
Step 7 - Create a GCP KMS key secret (use the key's Resource Name from Step 5 as the Key ID) in the Afi portal at the Service → Settings → SLA tab and select it as an encryption key in your backup policies.
How to configure Bring-Your-Own-Key encryption with Amazon Web Services KMS?
This section explains how to create a cryptographic key in Amazon Web Services (AWS) KMS and grant access to this key to Afi Backup. The guide assumes that you have an Amazon Web Services account with enabled billing.
To start a key configuration, log in to your AWS portal and select the AWS key region based on your Afi datacenter region:
us-east-2for the USA;eu-central-1for the EU;eu-west-2for the United Kingdom;ap-southeast-2for Australia;ca-central-1for Canada.
When the region is selected, go to KMS → Customer managed keys and click on Create a Key, then follow the steps below:
Step 1 - select a Symmetric key that will be used to Encrypt and decrypt, leave Advanced options as default:
Step 2 - specify AFI-BYOK as a key alias and BYOK encryption key for Afi Backup as a key description:
Step 3 - leave key administrative permissions as default:
Step 4 - add key usage permission for Afi AWS account 201720642051:
Step 5 - review key settings and click on Finish button:
After a key is created, copy its ARN for further configuration on Afi side. We also advise to enable an automatic key rotation once per year on AWS side.
Step 6 - Create an AWS KMS key secret (use the key's ARN from Step 5 as the Key ID) in the Afi portal at the Service → Settings → SLA tab and select it as an encryption key in your backup policies.
How to configure Bring-Your-Own-Key encryption with Microsoft Azure KMS?
This section explains how to create a cryptographic key in Microsoft Azure KMS and use this key with Afi Backup. The guide assumes that you have a Microsoft Azure account with enabled billing.
The key steps to configure encryption with Microsoft Azure KMS are the following:
- Create a Microsoft 365 application in your Azure Active Directory domain.
- Generate a private key and certificate pair for this application and create a corresponding application credentials entity on the Afi side (this will allow Afi to use this application for accessing your Azure KMS key).
- Create an Azure KMS key and grant access to this key to the application created in step 1.
- Create an Azure KMS key secret on Afi side with the key identifier from step 3 and application credentials from step 2.
- Select a key created in step 4 as an encryption key in backup policies that you use to protect the data.
Below is the detailed description of the outlined configuration steps.
Step 1 - Create a Microsoft 365 application
Open Azure Active Directory in your Microsoft Azure account and go to the App registrations section to create an application.
Click on the New registration button to create an application. We suggest to create an application available only inside your current organizational directory (not a multi-tenant one).
After the application is created, copy its client and tenant IDs - you will need them later to create an application credentials entity on Afi side.
Step 2 - Create application credentials
After the application is created, you need to generate a private key and certificate pair that will be used by Afi to act on behalf of the application. The certificate should be uploaded in the application created in step 1 and both the key and certificate will be used to create application credentials on the Afi side.
You can use the following CLI command to generate a key/certificate pair:
openssl req -x509 -newkey rsa:2048 -keyout azure-app-key.pem -out azure-app-cert.pem -days 36500 -nodes -subj /CN=afi.ai
Go to the Certificates & secrets section inside the application settings and upload the certificate:
After that, go to the Afi application and create an application credentials object at the Service → Settings → Secrets tab.
Step 3 - Create an Azure Key Vault and a KMS key
Go to the Key vaults service in the Azure portal (it can be located via the search bar) and create a key vault where your Azure KMS key will reside.
We recommend to create a key vault with the default settings suggested by Azure and make sure that you create a key in a region that is geographically close to the selected region in Afi.
To create a KMS key, go the Keys section inside the vault and click on the Generate/Import key button:
When the key is created, copy its identifier to continue the configuration on the Afi side:
After that you need to create an access policy that will allow the recently created Azure Active Directory application to access the key (go to the Access policies section inside the vault and click on the Create button):
Select Decrypt and Encrypt key permissions during the policy creation:
Select the recently created Azure Active Directory application as a principal (the next Application step is optional and should be skipped):
Step 4 - Create an Azure KMS key secret in the Afi portal
Go to the Service → Settings → Secrets tab in the Afi portal and create an Azure KMS key secret (use the KMS key identifier from Step 3 and the application credentials created in Step 2).
Step 5 - Add an Azure KMS key secret as an encryption key for backup policies
Go the Service → Settings → SLA tab and select the configured Azure KMS key secret as an encryption key for the backup policies in your domain, then protect the resources in your domain with these policies: