Afi.ai encryption and self-managed encryption key (BYOK - Bring-your-own-key) – Afi Backup

This documentation is no longer updated.

Please visit New Afi Documentation Center.

All customer data is always encrypted, in transit, and at rest. We use an up-to-date TLS 1.x protocol for all control communications, including data transfer between Afi components, to ensure all traffic is encrypted. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.

You can learn more about security and privacy by visiting the page: https://afi.ai/compliance

In addition to Afi-managed data encryption, customers can use their own encryption keys (BYOK) for data at rest. Afi supports all major Key Management System (KMS) providers including Google KMS, AWS KMS, and Azure KMS.

Bring-Your-Own-Key (BYOK) is the best-practice solution to strengthen cloud backup security by using customer-managed encryption keys to encrypt backup data. Cloud Security Alliance (CSA) and NIST recommend using the BYOK approach as a way to increase security for data and reduce risks while working with cloud providers.

Why your organization needs a Bring-Your-Own-Key backup?

Afi Backup BYOK capabilities can help you to solve the following problems:

Comply with regulatory or contractual requirements and internal security policies. Encryption key self-management can be required or recommended by your regulatory or contractual requirements, and the BYOK approach allows you to satisfy these requirements with minimal configuration on the user side.
Increase control over your data and mitigate the risks. BYOK approach allows customers to suspend or revoke Afi application access to backup data at any moment, giving you an additional level of control over your data and reducing security risks. Also, BYOK serves as a cryptographic data removal mechanism if you decide to terminate your account at any time for any reason.

How does Bring-Your-Own-Key encryption work with Afi?

Afi Backup provides an option to manage an encryption key on a user side using Google Cloud KMS (Key Management Service), Azure KMS or Amazon Web Services (AWS) KMS. When the BYOK feature is configured, the Afi Backup system will use the user's key to encrypt backup data, while the user maintains full control over the encryption key and can revoke access to backup data anytime.

An Afi backup encryption key chain works the following way - a KMS key (either an Afi-managed one or a customer-managed one) is used to encrypt a tenant encryption key, referred to as a Secret and managed on the Service → Settings → Secret tab in the Afi portal. In turn, a tenant encryption key (Secret) is used to encrypt per backup encryption keys that are used to encrypt low level data encryption keys for a specific backup. Such scheme allows to easily switch from an Afi-managed KMS key to a customer-managed KMS key or even between different customer-managed KMS keys as well as rotate a master KMS key regularly. When a master KMS key is replaced or rotated, the Afi service will use a previous master key or an older version of a rotated key to decrypt a tenant encryption key and re-encrypt it with a new master KMS key.

Please note that if you delete a KMS key on Google side or a Secret on Afi side before re-encrypting your backups with a new Secret, you will lose access to your backup data, and it will not be possible to recover it.

If you want to replace a KMS key, please follow the procedure below:

Create a new Secret on the Service → Settings → Secret tab in the Afi portal with your new KMS key.
Replace your old Secret with the newly created one in your backup SLA policies on the Service → Settings → SLA tab
Make sure that all resources with a backup in your tenant are protected with backup SLA policies with the new Secret configured, including archived resources. If some resources in a tenant are not protected at the moment, but have a backup, you should protect them with a backup SLA policy as well.
Trigger a backup for all resources in a tenant and wait until the backups are completed. The Afi service will trigger backup jobs both for active and archived protected resources and re-encrypt their keys.

Once the backups are finished, their backup keychains will be fully re-encrypted with a new Secret and an old Secret as well as an old KMS key will no longer be needed. Due to sensitivity of this procedure, we advise to keep an old Secret and an old KMS key for several months before deletion to make sure that you don't loose access to your backup data accidentally. Please contact the Afi Support if you have deleted a Secret accidentally and want to recover it. When you switch from an Afi-managed encryption key to a customer-managed one, the default Afi-managed Secret will be kept by the service indefinitely.

You can disable all key versions or revoke Afi service account access to a key at any time to make all your backup data inaccessible by Afi application. Please note that disabling a key doesn't interrupt backup and recovery operations that started before the key was revoked.

All secrets and keys in an encryption keychain are stored in encrypted format on Afi side and require either a corresponding Afi-managed or a customer-managed Google Cloud KMS master key to be re-encrypted. For performance reasons an encryption key associated with a Secret is cached in a service memory for several hours after it is re-encrypted for a backup job to be performed or when a backup is accessed on a user side, so if you want to test a KMS key revocation, you should wait for a few hours before access to the backups is fully revoked. After a cached key expires, the Afi service will no longer be able to decrypt it again with a revoked KMS key and the backup access will be completely disabled until the revoked KMS key is reactivated.

How to configure Bring-Your-Own-Key encryption with Google Cloud KMS?

This section explains how to create a cryptographic key in Google Cloud KMS and grant access to this key to the Afi Backup application. The guide assumes that you have a Google Cloud Platform account with enabled billing. The costs for using a customer-managed Google Cloud KMS key to protect your backups are very small and usually don't exceed a few US dollars per an Afi tenant.

Step 1 - Create a new project in your GCP organization (for example, afi-backup-byok).

Screenshot_2021-02-11_at_12.59.47.png

You can also use one of your existing GCP projects, but it can make controlling your GCP resources more complicated.

Step 2 - Go to Key Management (KMS) in the selected GCP project and enable Cryptographic Keys API if it isn't enabled yet (type KMS in the search field at the top of the screen to locate it):

Step 3 - Create a new Key ring (for example, "afi-backup-keyring") with a "global" location. You can also specify the exact region where you want the key to be stored if you have such preferences.

Screenshot_2021-02-11_at_13.07.57.png

Step 4 - Click on the Key ring from the previous step and create a KMS key there (for example, "afi-backup-key").

Screenshot_2021-03-18_at_01.17.05.png

This screenshot shows the recommended settings for an encryption key:

Screenshot_2021-02-11_at_13.09.27.png

Step 5 - Copy the key name by clicking on Copy Resource Name. This key name should be used in Step 7 to finish BYOK configuration on Afi side (key name example - projects/byok-test/locations/europe-west1/keyRings/afi-backup-keyring/cryptoKeys/afi-backup-key).

Step 6 - Open the Permissions tab for the key and grant access for the Afi service account (storage-byok@afi-production.iam.gserviceaccount.com) with a Cloud KMS CryptoKey Encrypter/Decrypter role. If the Permissions tab is hidden, click on Show Info Panel in the top-right corner of the page.

Step 7 - Create a GCP KMS key secret (use the key's Resource Name from Step 5 as the Key ID) in the Afi portal on the Service → Settings → Secrets tab and select it as an encryption key in your backup policies on Service → Settings → SLA tab.

How to configure Bring-Your-Own-Key encryption with Amazon Web Services KMS?

This section explains how to create a cryptographic key in Amazon Web Services (AWS) KMS and grant access to this key to Afi Backup. The guide assumes that you have an Amazon Web Services account with enabled billing.

To start a key configuration, log in to your AWS portal and select the AWS key region based on your Afi datacenter region:

us-east-2 for the USA;
eu-central-1 for the EU;
eu-west-2 for the United Kingdom;
ap-southeast-2 for Australia;
ca-central-1 for Canada.

When the region is selected, go to KMS → Customer managed keys and click on Create a Key, then follow the steps below:

Step 1 - select Symmetric key that will be used to Encrypt and decrypt, leave Advanced options as default:

Step 2 - specify AFI-BYOK as the key alias and BYOK encryption key for Afi Backup as the key description:

Step 3 - leave key administrative permissions as default:

Step 4 - add the key usage permission for Afi AWS account 201720642051:

Step 5 - review key settings and click on Finish button:

After a key is created, copy its ARN for further configuration on the Afi side. We also advise customers to enable the automatic key rotation once per year on AWS side.

Step 6 - Create an AWS KMS key secret (use the key's ARN from Step 5 as the Key ID) in the Afi portal at the Service → Settings → SLA tab and select it as an encryption key in your backup policies.

How to configure Bring-Your-Own-Key encryption with Microsoft Azure KMS?

This section explains how to create a cryptographic key in Microsoft Azure KMS and use this key with Afi Backup. The guide assumes that you have a Microsoft Azure account with enabled billing.

The key steps to configure encryption with Microsoft Azure KMS are the following:

Create a Microsoft 365 application in your Azure Active Directory domain.
Generate a private key and certificate pair for this application and create a corresponding application credentials entity on the Afi side (this will allow Afi to use this application for accessing your Azure KMS key).
Create an Azure KMS key and grant access to this key to the application created in step 1.
Create an Azure KMS key secret on Afi side with the key identifier from step 3 and application credentials from step 2.
Select a key created in step 4 as an encryption key in backup policies that you use to protect the data.

Below is the detailed description of the outlined configuration steps.

Step 1 - Create a Microsoft 365 application

Open Azure Active Directory in your Microsoft Azure account and go to the App registrations section to create an application.

Click on the New registration button to create an application. We suggest to create an application available only inside your current organizational directory (not a multi-tenant one).

After the application is created, copy its client and tenant IDs - you will need them later to create an application credentials entity on Afi side.

Step 2 - Create application credentials

After the application is created, you need a private key and certificate pair that will be used by Afi to act on behalf of the application. The certificate should be uploaded in the application created in Step 1 and both the key and certificate will be used to create application credentials on the Afi side.

To proceed, please go to the Afi application and create an application credentials object with tenant and client identifiers from Step 1 at the Service → Settings → Secrets tab.

Then click on the Generate certificate button and download a certificate locally before saving an application credentials secret (a private key linked to the certificate will be kept on Afi side and used to interact with the application on Azure side):

Go to the Certificates & secrets section inside the application settings and upload the certificate:

Step 3 - Create an Azure Key Vault and a KMS key

Go to the Key vaults service in the Azure portal (it can be located via the search bar) and create a key vault where your Azure KMS key will reside.

We recommend to create a key vault with the default settings suggested by Azure and make sure that you create a key in a region that is geographically close to the selected region in Afi.

To create a KMS key, go the Keys section inside the vault and click on the Generate/Import key button:

When the key is created, copy its identifier to continue the configuration on the Afi side:

After that you need to create an access policy that will allow the recently created Azure Active Directory application to access the key (go to the Access policies section inside the vault and click on the Create button):

Select Decrypt and Encrypt key permissions during the policy creation:

Select the recently created Azure Active Directory application as a principal (the next Application step is optional and should be skipped):

Step 4 - Create an Azure KMS key secret in the Afi portal

Go to the Service → Settings → Secrets tab in the Afi portal and create an Azure KMS key secret (use the KMS key identifier from Step 3 and the application credentials created in Step 2).

Step 5 - Add an Azure KMS key secret as an encryption key for backup policies

Go the Service → Settings → SLA tab and select the configured Azure KMS key secret as an encryption key for the backup policies in your domain, then protect the resources in your domain with these policies: