In order to enable Bring Your Own Key (BYOK) in OwnBackup, the platform requires a Base64 formatted string of a 256-bit secret, that is encrypted with the OwnBackup region-specific certificate, and a Base64 formatted string of the SHA-256 digest of the same 256-bit secret.
The following procedure is for activating BYOK for Azure. For the procedure for BYOK for AWS, see here.
Log in to your OwnBackup account as the account’s owner.
At the top right of the screen, click on your email address.
In the drop-down menu, select Account Settings.
Select the Key Management tab. By default, the Bring Your Own Key checkbox is checked.
Click Archive Current Key and Create New Key...
In the dialog window that appears are instructions on how to download the OwnBackup certificate, as well as the actual script, that will help you generate a 256-bit key and passphrase. In the blue instructions area of the window, click the Download hyperlink to obtain the OwnBackup certificate from the application UI.
To generate the key and passphrase on a Mac-based machine, follow the instructions below:
To generate the key and passphrase on a Windows-based machine, follow the instructions below:
Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to:
chmod +x secretgen-linux-azure.sh
For example:
./secretgen-linux-azure.sh akm_azure_ob_public.key
After running the script, the terminal app generates the key and passphrase and displays the output, which are the text strings of the required key and passphrase, similar to the following:
Private Key PKCS12:
MIIFbwIBAzCCBTUGCSqGSIb3DQEHAaCCBSYEggUiMIIFHjCCBRoGCSqGSIb3DQEH AaCCBQsEggUHMIIFAzCCBP8GCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcN AQwBAzAOBAjLkLSLOS38YQICCAAEggTIodg+/NdT9yNRtF5RqLlpr23akv0zhrJE 2BWYm+yZdSzGYu4HYPqQe102PL9MKnlx7ZfojGd+NZTqJjNpiePZu2hDewIrpnfv hfuVRsUQ6x20LN8hQ+Wspe9cvwQjYtJT7oi35DRx8qZNbmeLWELW++nGj5YVLxsX h7qUuoov092GWizhbadupX6Kfv+C/FKN4tbuzsNQXohOOV2ILETVBbqaOLoqsc36 1PTfUe9JwV43wxRMg3ciJ7RdOhuW7M/yRy5MLx1lNTcLtnlglRiwA8ug4dfhzG6N ueeh/DkxK+Wjx22Y+k3AcnChNv/3uUdhkx4o1nMt+bUOUhTP1T1lkjzy+DAd33tr dMfN+TZQbJcy4tMbot6oLV5C5sJ7MVotI3PX3xJBaLD8jrPsCPP6bbPQH+65X5Ck z3FyJMLx0e35heXE9xgzDyXIskwGrVPBYdJkXST8sWaLv7832PFl4ON5yzjrXrOh mJWBKLBwiwpSqMTZpyDuBqJNg6o/i2c4Vmdn2eLDH8DpAag5T6rMVBcd+pWUrn71 4E2siUKS+V0uy8T0hUqdo5WmK/k/O6sEFb5oy7sRS9Fkei71arZC05sGCPffhBKb JHqZOks4jnCxWvqvFrMu0KXY9y5+uG8UraOOx7D4bYs+n+TtsDorAfSlXKVMzpT2 3k1i3aLOzUWqcs+eB62onb6aP3fqciQUVulab4GZny1Jrx3i65IwpgoFkqbxmzA6 vCaQ7xFNCIdz64l+DSRrtLnHXLUz5HtgqzoB5kA/pnmwKmWa/REuXCaePAZye4i+ h52sbRBbDeKtgr146gU+LHqTBiMe8UV8pW1TTSGjhDXtGFtoEF7O456DbQm0aHve SfT9zzeq7UsdCN4KyY1FtmZwvQUR5RrJ/UPfECC1uUo85l8dwliV2klM6S8+bk3f BnR6dV6XXX44Gp5IuhDLJ2lupiFCYwRD57lydtUYSMSf7I8muzXSi2NagJRs+X2Y VJGPTWx42VMMKeAABE0M0bxrOmqBezy/RtYe+gdO0srjlXH2NXLcciSP54gbRvUi UUYPfBTx8Sf5CJ4UpK2VoZjlQ3y0DaLkcZSBY+6AtoOg94LMSWNTv0FL4xPfaWv0 5UTCFPXo6m/5ALuK48OM1TXu1WI8B+VFCQ2ist8p/l6UZRDMFQL7VnFmZqUe8oe9 e4puNlKDIPHIXb4e+MabvP+l0ghPzfDn5saYrCdAqsjTGlqDLiwssnemmw6CR2Uy KqMrFJk6J3yojMA4kKI3kZxWBRcNlIQLalF2sBJkmqRSjq6x59aKhXA2fupgXPa6 X0dIYRwSXTlsrPYd+diRNTT/C3t8eHVZnnm1/oxGsILLiX8fE8hV3oDPC8CKU4HD kfRUL6DVLHKb+bSeNSjcKoNGnkZoBWXEBnd9RlX3l263gcYFUFd6Rz6oDkCp6SgF cEAYoXukjQ9C6CmKBYlSMgo0Q60fM1edlacQYoCoOYe/xGsYi1BYmsW0N13bun32 EGTk2oqLqXFcbaMhcVrksb3Fl2+X2js4UDbs97IHP3lo2H53HicTM7wThTfYUW11 81r5ZzDleUQqxQaBZlOpchv3UZ2u4+GP9w4ZHFnzQrsJQM29jIMoEPvXA5Hp6UmT MDEwITAJBgUrDgMCGgUABBRgt0YDy4lEeM5cffjF0dDuiVbnzAQI3cWbNGBRYVcC AggA
Encrypted Passphrase:
PZHBYNgY+XI/n7l0b1j/E23IiV2gHFAwwzPZs1g1lnrX3Cjva7KkBrqOCk60tDLj PjtFLbOJgZ2s0MQdkNN60w417zsCe2ILjckB/cEnx6GynQ7Zs3EQZ80hMTWHVz9F 5Z1sfks869uZj8XN06e8NUOcLfA6MHR6X0fXIK/WqAhUql/E2HmV8wyWWlspbGhV s28rggZe0HFpAlug79XeJAuRmBRX7udoyUml3skCvlQcqDMtt/Rp+u0mCJBWMWVP P6v8HYsN7FcbvHYrZHPjAzag2YEUpEDOsSU27SbFx7CcDMmbmY7LE8rXw4vlsL2k v3DIgpryBeIb60OTt/uDm1QLwO7LWcjshN1pfIfig8POy/dL4diV88UKYYP2dGcQ 5VDR4FYjQU2qJCNZASp28xbex33g0ZgjuRVNIiNBdJZkwngS3KPGMxrrMFnU6WSd FYNJlpWBwmjTXLjjIYyyQFmuhJqd0ASPVaQtJ7VQ5ERxA2ZLynmkNNZ73M7bVVeK oQWomQXjgIxvkjsXJK08L/RVMznyin4DDddDazhzbiy4RuoKwcsYdDIHjQConBep 6+WFTknZQsYm5c1bfIB2WVkoQSy9KN8fs693FNpr12tkoWl/pjtKVVkWj8B2LVsO I1jf50zE/xrtXWcDsuMkiLXhWysZYJlsE104fzGo1f4=
A dialog window appears, with two text fields, for entering the Private Key PKCS12 and the Encrypted Passphrase strings.
Copy the first text string from the terminal app, and paste it into the Private Key PKCS12 text field in the Add and replace master encryption key window.
Click Add and Replace Master Encryption Key.
Your Key should appear in the table in “Activating…” status.
If the key supplied does not match the passphrase entered, the master encryption key activation will be canceled. Subsequently, an OwnBackup Support case will be opened for you, and an email confirming the case will be sent.
Upon successful verification of the validity of the uploaded key against the passphrase supplied, your OwnBackup account data will be moved to a newly-created volume/bucket encrypted with that AES256bit master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you will receive a notification email. The OwnBackup SLA provides information on the maximum duration of this process.
The following procedure is for activating BYOK for AWS. For the procedure for BYOK for Azure, see here.
To generate the key and hash on a Mac-based machine, follow the instructions below:
If necessary, you can click Cancel Activation... to revert back to the currently active key, and cancel the activation.
To generate the key and hash on a Windows-based machine, follow the instructions below:
For example:./secretgen-linux.sh akm_aws_ob_public.key
If the key supplied does not match the key hash entered, the master encryption key activation will be canceled. Subsequently, an OwnBackup Support case will be opened for you, and an email confirming the case will be sent.
Upon successful verification of the validity of the uploaded key against the hash value supplied, your OwnBackup account data will be moved to a newly-created volume/bucket encrypted with that AES256 bit master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you will receive a notification email. The OwnBackup SLA provides information on the maximum duration of this process. Please take into account further time may be required for any migration of historical data, depending on the amount of data per account.
As part of your company's compliance, you may need to rotate the key from time to time. To do that, select the "Archive Current Key and Create New Key..." button. This will re-encrypt the volumes with the new key after it's validated on the platform. This will not impact active backups during that time.
When revoking a master encryption key: all access to data is immediately blocked; running backups and jobs will fail to complete, and future backups will not happen. More importantly, all data will be rendered inaccessible unless the previously active key is uploaded again.
Here are the steps to revoke an active master encryption key:
Select the Key Management tab.
Click Revoke Active Key...
Confirm the revocation.
Upon confirming the revocation, you will be sent an email with instructions on the following possible next steps:
How to undo the revocation
How to purge the key from OwnBackup’s records
How to wipe the original volume/bucket
Sometimes you just want to talk to someone. Our customer support team is available by phone: