Skip to main content
All CollectionsData backup and ArchivingBYOK
BYOK (Bring Your Own Key) vs Self-Service Encryption Key for Backup and Archiving
BYOK (Bring Your Own Key) vs Self-Service Encryption Key for Backup and Archiving

Find out the key differences between BYOK feature (for Enterprise licenses only), and Self-Service Encryption Key (for Starter licenses)

Mateusz Kochanowicz avatar
Written by Mateusz Kochanowicz
Updated over 2 weeks ago

This article will help you understand the differences between these two features in the context of Gearset's Backup and Archiving products:

  • Self-Service Encryption Key - unique key created by Gearset for your team's data stored by the Backup and Archiving products

  • BYOK (Bring Your Own Key) - ability to create your own encryption key via AWS KMS (Amazon Web Services' Key Management Service)

Gearset offers encryption key management for backup and archived data, giving users full control over their data security.

However, sometimes our users are unclear about the differences and advantages between Bring Your Own Key (BYOK) and Self-Service Encryption Key options.

This article clarifies the differences and highlights the key aspects of each option.

Key differences between BYOK and Self-Service Encryption Key

Ownership and control

  • Self-Service Encryption Key (default option): Gearset automatically generates a unique encryption key for a team when their first backup or archiving job is created.

  • BYOK (Bring Your Own Key): Users create their own encryption key using AWS KMS and grants Gearset access to it.

Who manages the key?

  • Self-Service Encryption Key: Managed by Gearset, ensuring encryption of data at rest and in transit.

  • BYOK: Managed by the customer via AWS KMS, therefore requires manual configuration.

Availability and setup

  • Self-Service Encryption Key: Available across all Backup and Archiving licenses. No additional setup required at user's end.

  • BYOK: Available only on Gearset's Enterprise license. This feature requires users to configure their key within AWS KMS and explicitly grant Gearset access.

Who can delete the key?

  • Self-Service Encryption Key: Can be deleted by both the customer and Gearset. The customer can delete it at any time while holding a Backup or Archiving license. Gearset will only delete the key when a customer is no longer using Gearset's Backup and Archiving products, for compliance reasons.

  • BYOK: Can only be deleted by the customer.

What happens when a key is deleted?

  • Self-Service Encryption Key: Deleting this key removes both the encryption key and all backup and archived data stored in Gearset. This is a full, irreversible deletion.

  • BYOK: Deleting or disabling the AWS KMS key does not delete the data but makes it permanently inaccessible. Neither the user nor Gearset can decrypt or restore the data.

How users access encryption key management in Gearset

  • Self-Service Encryption Key:

    • Location in the app: Encryption key management settings are found in the Data management page under "Data backup and archived settings" section.

  • BYOK:

  • Default behavior:

    • Gearset automatically provisions and manages the Self-Service Encryption Key for all teams by default.

    • BYOK is not enabled by default and must be set up manually.

Why self-service encryption key management matters?

Self-service encryption key management empowers users by giving them full control over their encryption key.

When a user no longer wants their data stored in Gearset, they can delete their Gearset provided encryption key, making sure that complete deletion of all their backup and archived data is executed.

For Enterprise users leveraging BYOK

  • They maintain full ownership and control over their encryption key.

  • They can revoke Gearset’s access at any time, making their data inaccessible.

  • However, if they accidentally disable or delete the key, all backup and archived data becomes unusable without any recovery option.

Summary on Self-Service Encryption Key vs BYOK

Feature

Self-Service Encryption Key

BYOK (AWS KMS)

Who provides the key?

Gearset

Customer via AWS KMS

Who manages it?

Gearset

Customer

Available for all Backup and Archiving licenses?

Yes

Enterprise license only

Encryption coverage

Encrypts data at rest and in transit

Encrypts data at rest and in transit

Who can delete the key?

Customer and Gearset

Customer

What happens when deleted?

Key and all data are deleted permanently

Key is deleted, data is inaccessible but still stored

For more details on setting up BYOK, refer to this guide. If you need to delete a Data Master Key in Gearset, check out this article.

Did this answer your question?