Overview
Gearset's backup solution stores your data in our AWS instance. We use Amazon Relational Database Service (RDS) and AWS Simple Storage Service (S3) to host the data. The RDS and S3 instances are encrypted at rest using AWS KMS's generated team based encryption key provided to all customers by default.
Bring Your Own Key (BYOK) via AWS Key Management Service (AWS KMS) can offer you more control if you would like to be the one responsible for the access and management of your backup's encryption key. Once you create a key and provide it to your Gearset account executive, the data will be stored in a dedicated infrastructure encrypted by your key.
Who should use BYOK
BYOK will help you meet strict regulatory controls that your organization might require in order for you to use our backup tool. With BYOK, you will have full control of the lifespan of your encryption key. Deleting the key will result in your data becoming inaccessible to anyone. You will also have full control of who is able to access the encryption key and the permissions associated with the key.
Considerations
BYOK is not needed for every organization. With BYOK, the key existence and maintenance will be solely your responsibility. Gearset will use your key for encrypting and decrypting the data.
A Gearset generated key may be more appropriate for your organization. Gearset generates a new master key for every unique team that uses backup. We have best practices around generating, storing and rotating keys. Your backup master key can be deleted by you at any time by navigating to Gearset account settings and looking at Data management.