Bring-Your-Own-Key (BYOK) is a best-practice solution to strengthen cloud backup security by using customer-managed encryption keys to encrypt backup data. Cloud Security Alliance (CSA) and NIST recommend using the BYOK approach as a way to increase security for data and reduce risks while working with cloud backup providers.
Note: This feature is not available in a standard Afi SaaS backup subscription. Please contact sales@afi.ai for more details.
Why your organization needs a Bring-Your-Own-Key backup?
Afi Backup with BYOK can help you to solve the following problems:
- Comply with regulatory or contractual requirements and internal security policies. Encryption key self-management can be required or recommended by regulatory or contractual requirements, and the BYOK approach allows to satisfy these requirements with a minimal configuration on a user side.
- Increase control over your data and mitigate the risks. BYOK approach allows a client to suspend or revoke Afi access to backup data at any moment, giving you an additional level of control over your data and reducing security risks. Also, BYOK serves as a cryptographic data removal mechanism if you decide to terminate your account at any time for any reason.
How does Bring-Your-Own-Key encryption work with Afi?
Afi Backup provides an option to manage a data encryption key on a user side using Google Cloud KMS (Key Management Service), AWS or Azure. When the BYOK feature is configured, the Afi Backup system will use the user's key to encrypt backup data, while the user maintains full control over the encryption key and can revoke access to backup data at any time.
Please note that if the encryption key is deleted, access to data will be lost and it will not be possible to recover it.
How to configure Bring-Your-Own-Key encryption with Afi?
This section explains how to create a cryptographic key in Google Cloud KMS and grant access to this key for Afi Backup. The guide assumes that you have a Google Cloud Platform account with enabled billing.
Step 1 - Create a new project in your GCP organization (for example, afi-backup-byok).
You can also use one of your existing GCP projects, but it can make controlling your GCP resources more complicated.
Step 2 - Enable Cryptographic Keys API in the selected GCP project (type KMS in a search field at the top of the screen to locate it)
Step 3 - Create a new Key ring (for example, "afi-backup-keyring") with a "global" location. You can also specify the exact region where you want the key to be stored if you have such preferences.
Step 4 - Click on the Key ring from the previous step and create a KMS key there (for example, "afi-backup-key").
This screenshot shows the recommended settings for an encryption key:
Step 5 - Copy the key name by clicking on "Copy Resource Name". This key name should be provided to Afi support to finish BYOK configuration (key name example - projects/byok-test/locations/europe-west1/keyRings/afi-backup-keyring/cryptoKeys/afi-backup-key/cryptoKeyVersions/1).
Step 6 - Open the Permissions tab for the key and grant access for the Afi service account (storage-byok@afi-production.iam.gserviceaccount.com) with a "Cloud KMS CryptoKey Encrypter/Decrypter" role. If the Permissions tab is hidden, click on 'Show Info Panel' in the top-right corner of the page.
Step 7 - Send an email request with the key's Resource Name from Step 5 to the Afi support team (support@afi.ai). Please note that any backups that existed before the BYOK configuration should be deleted before the BYOK setup. Once you get a confirmation from Afi support that BYOK is configured, you can protect resources and start backups (sometimes, it might take up to a couple of hours for key permissions to be fully propagated in the Google Cloud, in this case, backups will pause for a while and then resume automatically).
You can disable all the key versions or revoke Afi service account access to the key at any time to make all your data inaccessible for Afi. Please note that disabling a key doesn't interrupt backup and recovery operations that started before the key was revoked.