This article will help you understand the differences between these two features in the context of Gearset's Backup and Archiving products:
Self-Service Encryption Key - unique key created by Gearset for your team's data stored by the Backup and Archiving products
BYOK (Bring Your Own Key) - ability to create your own encryption key via AWS KMS (Amazon Web Services' Key Management Service)
Gearset offers encryption key management for backup and archived data, giving users full control over their data security.
However, sometimes our users are unclear about the differences and advantages between Bring Your Own Key (BYOK) and Self-Service Encryption Key options.
This article clarifies the differences and highlights the key aspects of each option.
Key differences between BYOK and Self-Service Encryption Key
Ownership and control
Self-Service Encryption Key (default option): Gearset automatically generates a unique encryption key for a team when their first backup or archiving job is created.
BYOK (Bring Your Own Key): Users create their own encryption key using AWS KMS and grants Gearset access to it.
Who manages the key?
Self-Service Encryption Key: Managed by Gearset, ensuring encryption of data at rest and in transit.
BYOK: Managed by the customer via AWS KMS, therefore requires manual configuration.
Availability and setup
Self-Service Encryption Key: Available across all Backup and Archiving licenses. No additional setup required at user's end.
BYOK: Available only on Gearset's Enterprise license. This feature requires users to configure their key within AWS KMS and explicitly grant Gearset access.
Who can delete the key?
Self-Service Encryption Key: Can be deleted by both the customer and Gearset. The customer can delete it at any time while holding a Backup or Archiving license. Gearset will only delete the key when a customer is no longer using Gearset's Backup and Archiving products, for compliance reasons.
BYOK: Can only be deleted by the customer.
What happens when a key is deleted?
Self-Service Encryption Key: Deleting this key removes both the encryption key and all backup and archived data stored in Gearset. This is a full, irreversible deletion.
BYOK: Deleting or disabling the AWS KMS key does not delete the data but makes it permanently inaccessible. Neither the user nor Gearset can decrypt or restore the data.
How users access encryption key management in Gearset
Self-Service Encryption Key:
Location in the app: Encryption key management settings are found in the Data management page under "Data backup and archived settings" section.
BYOK:
To set up BYOK, please contact Gearset support.
Default behavior:
Gearset automatically provisions and manages the Self-Service Encryption Key for all teams by default.
BYOK is not enabled by default and must be set up manually.
Why self-service encryption key management matters?
Self-service encryption key management empowers users by giving them full control over their encryption key.
When a user no longer wants their data stored in Gearset, they can delete their Gearset provided encryption key, making sure that complete deletion of all their backup and archived data is executed.
For Enterprise users leveraging BYOK
They maintain full ownership and control over their encryption key.
They can revoke Gearset’s access at any time, making their data inaccessible.
However, if they accidentally disable or delete the key, all backup and archived data becomes unusable without any recovery option.
Summary on Self-Service Encryption Key vs BYOK
Feature | Self-Service Encryption Key | BYOK (AWS KMS) |
Who provides the key? | Gearset | Customer via AWS KMS |
Who manages it? | Gearset | Customer |
Available for all Backup and Archiving licenses? | Yes | Enterprise license only |
Encryption coverage | Encrypts data at rest and in transit | Encrypts data at rest and in transit |
Who can delete the key? | Customer and Gearset | Customer |
What happens when deleted? | Key and all data are deleted permanently | Key is deleted, data is inaccessible but still stored |
For more details on setting up BYOK, refer to this guide. If you need to delete a Data Master Key in Gearset, check out this article.