All Collections
Data Backup
Data Backup Bring Your Own External Key (BYOK)
Setting up BYOK for Gearset Backup using AWS KMS
Setting up BYOK for Gearset Backup using AWS KMS
Rumyana Cherneva avatar
Written by Rumyana Cherneva
Updated over a week ago


Gearset can use a customer’s own encryption key is if it is created via AWS. At this time other methods are not available. You will need access to AWS and the ability to create and manage a key in the region where Gearset will be hosting your data (listed below). You will be responsible for the key’s maintenance and updating Gearset with any changes around it. We will require permissions to access and use the key which will be specified in the instructions below.

Available regions:

AWS Location

AWS Region

Gearset Account Number

Europe (Ireland)



United States (Oregon)



Australia (Sydney)



Creating a new customer managed key in AWS

Please follow the steps below to create your AWS customer managed key using AWS's KMS services.
Note: You will have to have already created a Gearset account in

  1. Login to AWS account and make sure you are in the specific region where you wish your data to be hosted in.

  2. Navigate to Key Management Service (KMS) via the Search functionality

  3. Click on Create a key

  4. Make sure that you have selected Symmetric key type and Encrypt and Decrypt key usage.

  5. Add an appropriate alias. Add tags if desired.

  6. Select the key administrators and whether they can delete the key or not.

  7. Select key users. In the Other AWS accounts section fill in the account number of the Gearset account you have chosen for your backup.

  8. Review the permissions. Check the key policy section. They should include the following permissions granted to the Gearset AWS root account (replace GearsetAccountNumber with an account number from this section):

    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::GearsetAccountNumber:root"
    "Action": [
    "Resource": "*"
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::GearsetAccountNumber:root"
    "Action": [
    "Resource": "*",
    "Condition": {
    "Bool": {
    "kms:GrantIsForAWSResource": "true"

  9. Click Finish

Provide the key's ARN to Gearset

Go to KMS and open the newly created key.

Copy the ARN and provide it via Gearset account executive. Please also confirm the region you have chosen. You will need an existing Gearset account in the same region that has already been created. Gearset will set things up for you and let you know when everything is ready. Do not create a backup job until you have heard back from the team that everything is set up. Once you have received the confirmation, you are ready to start backing up your metadata and data.

Key rotation

If you use AWS's automatic rotation then we don't need to be contacted. It is done automatically by AWS. AWS will update the cryptographic material of your existing key which won’t change the key id. The AWS automatic key rotation is transparent to Gearset.
Please let Gearset know beforehand if you rotate your keys by creating new ones manually. If you need to provide Gearset with a new key that you have manually created, you will have to contact Gearset support and provide the ARN of the new key.

Deleting your key

This is a process that can be done by you. Log into the AWS account where your backup key is hosted and delete it. There is a required grace period of minimum 7 days and maximum 30 days. Once the key is deleted your data will be inaccessible, and we won't be able to recover it. Please let Gearset know if you plan to delete your key, so we can make sure that this is the right course of action and remove any links to the key on our side.
If you are unsure whether deleting the key is the right course of action you could disable it instead by finding your key in AWS and clicking Disable from Key Actions in the top right corner.

Did this answer your question?