Bring Your Own Key Step by Step Activation

In order to enable Bring Your Own Key (BYOK) in the Own application, the platform requires a Base64 formatted string of a 256-bit secret, that is encrypted with the Own region-specific certificate, and a Base64 formatted string of the SHA-256 digest of the same 256-bit secret.

BYOK for Azure

The following procedure is for activating BYOK for Azure. For the procedure for BYOK for AWS, see here.

Download the Sample Script

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab. By default, the Bring Your Own Key checkbox is checked.

5. Click Archive Current Key and Create New Key...

6. In the dialog window that appears are instructions on how to download the Own certificate, as well as the actual script, that helps you generate a 256-bit key and passphrase. In the blue instructions area of the window, click the Download hyperlink to obtain the Own certificate from the application UI.

7. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script and generate the required information.

Generate Key and Passphrase on MacOS

To generate the key and passphrase, do the following:

1. Open the terminal app, and modify the script file properties to be executable, by changing the text to:
   chmod +x secretgen-macos.sh
2. Run the script as sudo along with the certificate:
   ./secretgen-macos-azure.sh akm_azure_ob_public.key

Generate Key and Passphrase on Linux OS

To generate the key and passphrase, do the following:

1. Download GIT for Windowshere.
2. Install GIT on Windows using the installation wizard. Choose the default in all the steps. 

3. Once GIT is installed, open the git-bash application.

4. Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to:

   chmod +x secretgen-linux.sh

5. Navigate to the directory where the 2 downloaded files are located (the sample script and relevant crt)
6. In git-bash, launch the script. Make sure to have a  ./  before the script and the crt target:

For example:

./secretgen-linux-azure.sh akm_azure_ob_public.key

After running the script, the terminal app generates the key and passphrase and displays the output, which are the text strings of the required key and passphrase, similar to the following: 

Private Key PKCS12:

MIIFbwIBAzCCBTUGCSqGSIb3DQEHAaCCBSYEggUiMIIFHjCCBRoGCSqGSIb3DQEH AaCCBQsEggUHMIIFAzCCBP8GCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcN AQwBAzAOBAjLkLSLOS38YQICCAAEggTIodg+/NdT9yNRtF5RqLlpr23akv0zhrJE 2BWYm+yZdSzGYu4HYPqQe102PL9MKnlx7ZfojGd+NZTqJjNpiePZu2hDewIrpnfv hfuVRsUQ6x20LN8hQ+Wspe9cvwQjYtJT7oi35DRx8qZNbmeLWELW++nGj5YVLxsX h7qUuoov092GWizhbadupX6Kfv+C/FKN4tbuzsNQXohOOV2ILETVBbqaOLoqsc36 1PTfUe9JwV43wxRMg3ciJ7RdOhuW7M/yRy5MLx1lNTcLtnlglRiwA8ug4dfhzG6N ueeh/DkxK+Wjx22Y+k3AcnChNv/3uUdhkx4o1nMt+bUOUhTP1T1lkjzy+DAd33tr dMfN+TZQbJcy4tMbot6oLV5C5sJ7MVotI3PX3xJBaLD8jrPsCPP6bbPQH+65X5Ck z3FyJMLx0e35heXE9xgzDyXIskwGrVPBYdJkXST8sWaLv7832PFl4ON5yzjrXrOh mJWBKLBwiwpSqMTZpyDuBqJNg6o/i2c4Vmdn2eLDH8DpAag5T6rMVBcd+pWUrn71 4E2siUKS+V0uy8T0hUqdo5WmK/k/O6sEFb5oy7sRS9Fkei71arZC05sGCPffhBKb JHqZOks4jnCxWvqvFrMu0KXY9y5+uG8UraOOx7D4bYs+n+TtsDorAfSlXKVMzpT2 3k1i3aLOzUWqcs+eB62onb6aP3fqciQUVulab4GZny1Jrx3i65IwpgoFkqbxmzA6 vCaQ7xFNCIdz64l+DSRrtLnHXLUz5HtgqzoB5kA/pnmwKmWa/REuXCaePAZye4i+ h52sbRBbDeKtgr146gU+LHqTBiMe8UV8pW1TTSGjhDXtGFtoEF7O456DbQm0aHve SfT9zzeq7UsdCN4KyY1FtmZwvQUR5RrJ/UPfECC1uUo85l8dwliV2klM6S8+bk3f BnR6dV6XXX44Gp5IuhDLJ2lupiFCYwRD57lydtUYSMSf7I8muzXSi2NagJRs+X2Y VJGPTWx42VMMKeAABE0M0bxrOmqBezy/RtYe+gdO0srjlXH2NXLcciSP54gbRvUi UUYPfBTx8Sf5CJ4UpK2VoZjlQ3y0DaLkcZSBY+6AtoOg94LMSWNTv0FL4xPfaWv0 5UTCFPXo6m/5ALuK48OM1TXu1WI8B+VFCQ2ist8p/l6UZRDMFQL7VnFmZqUe8oe9 e4puNlKDIPHIXb4e+MabvP+l0ghPzfDn5saYrCdAqsjTGlqDLiwssnemmw6CR2Uy KqMrFJk6J3yojMA4kKI3kZxWBRcNlIQLalF2sBJkmqRSjq6x59aKhXA2fupgXPa6 X0dIYRwSXTlsrPYd+diRNTT/C3t8eHVZnnm1/oxGsILLiX8fE8hV3oDPC8CKU4HD kfRUL6DVLHKb+bSeNSjcKoNGnkZoBWXEBnd9RlX3l263gcYFUFd6Rz6oDkCp6SgF cEAYoXukjQ9C6CmKBYlSMgo0Q60fM1edlacQYoCoOYe/xGsYi1BYmsW0N13bun32 EGTk2oqLqXFcbaMhcVrksb3Fl2+X2js4UDbs97IHP3lo2H53HicTM7wThTfYUW11 81r5ZzDleUQqxQaBZlOpchv3UZ2u4+GP9w4ZHFnzQrsJQM29jIMoEPvXA5Hp6UmT MDEwITAJBgUrDgMCGgUABBRgt0YDy4lEeM5cffjF0dDuiVbnzAQI3cWbNGBRYVcC
AggA

Encrypted Passphrase:

PZHBYNgY+XI/n7l0b1j/E23IiV2gHFAwwzPZs1g1lnrX3Cjva7KkBrqOCk60tDLj PjtFLbOJgZ2s0MQdkNN60w417zsCe2ILjckB/cEnx6GynQ7Zs3EQZ80hMTWHVz9F 5Z1sfks869uZj8XN06e8NUOcLfA6MHR6X0fXIK/WqAhUql/E2HmV8wyWWlspbGhV s28rggZe0HFpAlug79XeJAuRmBRX7udoyUml3skCvlQcqDMtt/Rp+u0mCJBWMWVP P6v8HYsN7FcbvHYrZHPjAzag2YEUpEDOsSU27SbFx7CcDMmbmY7LE8rXw4vlsL2k v3DIgpryBeIb60OTt/uDm1QLwO7LWcjshN1pfIfig8POy/dL4diV88UKYYP2dGcQ 5VDR4FYjQU2qJCNZASp28xbex33g0ZgjuRVNIiNBdJZkwngS3KPGMxrrMFnU6WSd FYNJlpWBwmjTXLjjIYyyQFmuhJqd0ASPVaQtJ7VQ5ERxA2ZLynmkNNZ73M7bVVeK oQWomQXjgIxvkjsXJK08L/RVMznyin4DDddDazhzbiy4RuoKwcsYdDIHjQConBep 6+WFTknZQsYm5c1bfIB2WVkoQSy9KN8fs693FNpr12tkoWl/pjtKVVkWj8B2LVsO I1jf50zE/xrtXWcDsuMkiLXhWysZYJlsE104fzGo1f4=

Uploading the Key & Passphrase

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab. By default, the Bring Your Own Key checkbox is checked.

5. Click Archive Current Key and Create New Key...

6. A dialog window appears, with two text fields, for entering the Private Key PKCS12 and the Encrypted Passphrase strings.

7. Copy the first text string from the terminal app, and paste it into the Private Key PKCS12 text field in the Add and replace master encryption key window.

8. Copy the second text string from the terminal app, and paste it into the Encrypted Passphrase text field in the Add and replace master encryption key window.

9. Click Add and Replace Master Encryption Key.

10. Your Key should appear in the table in “Activating…” status. 

11. If necessary, you can click Cancel Activation... to revert back to the currently active key, and cancel the activation.

What Happens after Uploading the Key and Passphrase?

If the key supplied does not match the passphrase entered, the master encryption key activation is canceled. Subsequently, an Own Support case is opened for you, and an email confirming the case is sent.

Upon successful verification of the validity of the uploaded key against the passphrase supplied, your Own account data is moved to a newly-created volume/bucket encrypted with that master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process.

BYOK for AWS

The following procedure is for activating BYOK for AWS. For the procedure for BYOK for Azure, see here.

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab. The following screen appears:
   
5. Click Set Up BYOK... The following dialog window appears:
   
6. This window also contains instructions on how to download the Own public key, as well as the actual script that helps you generate a 256-bit key and key hash. Click Download Public Key. This will download our public key.
7. Click either the MacOS or the Linux hyperlink (as needed) to download and run the sample script to generate the required information.

Generate Key and Hash on MacOS 

To generate the key and hash on a Mac-based machine, follow the instructions below:

1. Open the terminal app, and modify the script file properties to be executable, by changing the text to: chmod +x secretgen-macos.sh
2. Run the script as sudo along with the key:
   ./secretgen-macos.sh akm_aws_ob_public.key
3. After running the script, the terminal app generates the key file. The key file is saved as encrypted_secret.bin. Click Browse... under next to the Wrapped Encryption Key field. Select and upload the generated key file. 
4. Copy the text string under the Key Hash line from the terminal app, and paste it into the Key Hash field in the dialog window.

5. Click Validate Key.

6. If the key is valid, a Completed Successfully message will appear in the dialog window:
   

7. Click Activate.

8. Your key should appear in the table in resource creation status:
   

Generate Key and Hash on Linux OS and Windows-based machines

To generate the key and hash, do the following:

1. Download GIT for Windows here.
2. Install GIT on Windows, using the installation wizard. Choose the default in all the steps. 

3. Once GIT is installed, open the git-bash application.
4. Within git-bash, open the terminal app, and modify the script file properties to be executable, by changing the text to: 

chmod +x secretgen-linux.sh

3. Navigate to the directory where the 2 downloaded files are (sample script and relevant crt)
4. In gitbash, launch the script, making sure to have a ./ before the script and crt target:

For example:
./secretgen-linux.sh akm_aws_ob_public.key

What Happens after uploading the Encrypted Encapsulated Key and Key Hash?

After clicking Activate, your Own account data is moved to a newly-created volume/bucket encrypted with that AES256 bit master encryption key. Jobs and backups that were in progress may be interrupted during the migration to the newly encrypted volume/bucket. Once the process completes, you receive a notification email. The Own SLA provides information on the maximum duration of this process. Please take into account further time may be required for any migration of historical data, depending on the amount of data per account.

Rotating a Key

As part of your company's compliance, you may need to rotate the key from time to time. To do that, select the Archive Current Key and Create New Key... or Revoke button. This re-encrypts the volumes with the new key after it's validated on the platform. This does not impact active backups during that time.

Revoking an Active Master Encryption Key

When revoking a master encryption key, all access to data is immediately blocked; running backups and jobs fail to complete, and future backups do not happen. More importantly, all data is rendered inaccessible unless the previously active key is uploaded again.

For AWS

Here are the steps to revoke an active master encryption key:

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab.

5. Click Revoke. A dialog window appears:
   

6. To confirm the revocation, manually type the word "revoke" in the text field and click Revoke.

7. The following screen will appear:
   

For Azure

Here are the steps to revoke an active master encryption key:

1. Log in to your Own account as the account’s owner.

2. At the top right of the screen, click on your email address.

3. In the drop-down menu, select Account Settings.

4. Select the Key Management tab.

5. Click Revoke Active Key...

6. Confirm the revocation.

Upon confirming the revocation, you are sent an email with instructions on the following possible next steps:

• How to undo the revocation

• How to purge the key from Own’s records

• How to wipe the original volume/bucket