Overview
Gearset can use a customer’s own encryption key is if it is created via AWS. At this time other methods are not available. You will need access to AWS and the ability to create and manage a key in the region where Gearset will be hosting your data (listed below). You will be responsible for the key’s maintenance and updating Gearset with any changes around it. We will require permissions to access and use the key which will be specified in the instructions below.
Available regions:
AWS Location | AWS Region | Gearset Account Number |
Europe (Ireland) | eu-west-1 | 347752291521 |
United States (Oregon) | us-west-2 | 157764733222 |
Australia (Sydney) | ap-southeast-2 | 178658833999 |
Creating a new customer managed key in AWS
Please follow the steps below to create your AWS customer managed key using AWS's KMS services.
Note: You will have to have already created a Gearset account in app.gearset.com.
Login to AWS account and make sure you are in the specific region where you wish your data to be hosted in.
Navigate to Key Management Service (KMS) via the Search functionality
Click on
Create a key
Make sure that you have selected
Symmetrickey type andEncrypt and Decryptkey usage.
Add an appropriate alias. Add tags if desired.
Select the key administrators and whether they can delete the key or not.
Select key users. In the
Other AWS accountssection fill in the account number of the Gearset account you have chosen for your backup.
Review the permissions. Check the
key policysection. They should include the following permissions granted to the Gearset AWS root account (replaceGearsetAccountNumberwith an account number from this section):
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::GearsetAccountNumber:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::GearsetAccountNumber:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}Click
Finish
Provide the key's ARN to Gearset
Go to KMS and open the newly created key.
Copy the ARN and provide it via Gearset account executive. Please also confirm the region you have chosen. You will need an existing Gearset account in the same region that has already been created. Gearset will set things up for you and let you know when everything is ready. Do not create a backup job until you have heard back from the team that everything is set up. Once you have received the confirmation, you are ready to start backing up your metadata and data.
Key rotation
If you use AWS's automatic rotation then we don't need to be contacted. It is done automatically by AWS. AWS will update the cryptographic material of your existing key which won’t change the key id. The AWS automatic key rotation is transparent to Gearset.
Please let Gearset know beforehand if you rotate your keys by creating new ones manually. If you need to provide Gearset with a new key that you have manually created, you will have to contact Gearset support and provide the ARN of the new key.
Deleting your key
This is a process that can be done by you. Log into the AWS account where your backup key is hosted and delete it. There is a required grace period of minimum 7 days and maximum 30 days. Once the key is deleted your data will be inaccessible, and we won't be able to recover it. Please let Gearset know if you plan to delete your key, so we can make sure that this is the right course of action and remove any links to the key on our side.
If you are unsure whether deleting the key is the right course of action you could disable it instead by finding your key in AWS and clicking Disable from Key Actions in the top right corner.