Note - You'll need a Backup Enterprise license to use this feature.
Before creating your first backup job - please ensure you speak to someone at Gearset to set up your BYOK.
Overview
Gearset can use a customer’s own encryption key is if it is created via AWS. At this time other methods are not available. You will need access to AWS and the ability to create and manage a key in the region where Gearset will be hosting your data (listed below). You will be responsible for the key’s maintenance and updating Gearset with any changes around it. We will require permissions to access and use the key which will be specified in the instructions below.
Available regions:
AWS Location | AWS Region | Gearset Account Number |
Europe (Ireland) | eu-west-1 | 347752291521 |
United States (Oregon) | us-west-2 | 157764733222 |
Australia (Sydney) | ap-southeast-2 | 178658833999 |
Canada (Central) | ca-central-1 | 877694686213 |
Creating a new customer managed key in AWS
Please follow the steps below to create your AWS customer managed key using AWS's KMS services.
Note: You will have to have already created a Gearset account in app.gearset.com.
Login to AWS account and make sure you are in the specific region where you wish your data to be hosted in.
Navigate to Key Management Service (KMS) via the Search functionality
Click on
Create a key
Make sure that you have selected
Symmetric
key type andEncrypt and Decrypt
key usage.Add an appropriate alias. Add tags if desired.
Select the key administrators and whether they can delete the key or not.
Select key users. In the
Other AWS accounts
section fill in the account number of the Gearset account you have chosen for your backup.
Review the permissions. Check the
key policy
section. They should include the following permissions granted to the Gearset AWS root account (replaceGearsetAccountNumber
with an account number from this section):
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::GearsetAccountNumber:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::GearsetAccountNumber:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}Click
Finish
Provide the key's ARN to Gearset
Go to KMS
and open the newly created key.
Copy the ARN and provide it via Gearset account executive. It will be something like:
arn:aws:kms:eu-west-1:111222333:key/11112222-3333-4444-aaaa-bbbb5555dddd
Please also confirm the region you have chosen. You will need an existing Gearset account in the same region that has already been created. Gearset will set things up for you and let you know when everything is ready. Do not create a backup job until you have heard back from the team that everything is set up. Once you have received the confirmation, you are ready to start backing up your metadata and data.
Key rotation
If you use AWS's automatic rotation then we don't need to be contacted. It is done automatically by AWS. AWS will update the cryptographic material of your existing key which won’t change the key id. The AWS automatic key rotation is transparent to Gearset.
Please let Gearset know beforehand if you rotate your keys by creating new ones manually. If you need to provide Gearset with a new key that you have manually created, you will have to contact Gearset support and provide the ARN of the new key.
Deleting your key
This is a process that can be done by you. Log into the AWS account where your backup key is hosted and delete it. There is a required grace period of minimum 7 days and maximum 30 days. Once the key is deleted your data will be inaccessible, and we won't be able to recover it. Please let Gearset know if you plan to delete your key, so we can make sure that this is the right course of action and remove any links to the key on our side.
If you are unsure whether deleting the key is the right course of action you could disable it instead by finding your key in AWS and clicking Disable
from Key Actions
in the top right corner.