Skip to main content



How can we help you?


Druva Documentation

Configure Cloud Key Management for Cloud Apps

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.


To initiate the scheduled backup of any SaaS Apps data, inSync requires access to the data encryption key (ekey). The ekey is used to encrypt the user data when it is being backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store the ekey of the users and has no access to the data.

By default, inSync requires the deployment of the inSync Connector in your organization premises to back up the SaaS Apps data. inSync Connector acts as a SaaS Apps Connector to provide the ekey without requiring the users to have their physical devices connected for the SaaS Apps backup.

However, if you do not want to deploy the inSync Connector for SaaS Apps backup, you can enable the Cloud Key Management feature from the inSync Management Console. The Cloud Key Management feature is a secured method to backup the SaaS Apps data and is an alternative method to the inSync AD Connector based deployment.

The Cloud Key Management feature utilizes the AWS Cloud Key Management System (AWS KMS) to generate the Data Key. The Data Key is then used to encrypt the ekey. The encrypted-ekey is then stored in the inSync Cloud. During the scheduled SaaS Apps backup, the encrypted-ekey in combination with the Data Key is utilized to source the ekey.  This ekey is then utilized to complete the backup.

Note: The Data Key is rotated every three months from the date the Cloud Key Management feature is enabled for your account.




  • Once the Cloud Key Management feature is enabled, the feature cannot be disabled from the inSync Management Console.
  • Druva does not store the ekey of the users and has no access to the data.

The AWS KMS is an encryption and ekey management web service. Druva utilizes AWS KMS services to provide its inSync Customers the feature to encrypt and decrypt the SaaS Apps data through a secure ekey management system. Druva thus eliminates the need to deploy the inSync Connectors within your organization and provides the following benefits:

  • Fully Managed - Provides a fully managed service and features scalability to meet the requirements of the encryption keys which are used to encrypt your data.
  • Data encryption - Creates and manages a unique data key for encryption of the data before storage.
  • Compliance - Certified security and quality controls. 

To know more about the AWS KMS benefits, see AWS Cloud Key Management System.


Submit a request to Support asking them to activate the Cloud Key Management feature for your account.

Post confirmation from the Druva Support team, perform the following procedure to enable the Cloud Key Management feature in the inSync Management Console.

Configure Cloud Key Management

Before you begin, ensure:

  • You have received the confirmation email from Support about activation of the Cloud Key Management feature for your account.
  • You are logged on to inSync either as a Cloud administrator or you are managing the SaaS Apps users and groups from your administrator account.


  1. On the Endpoints/SaaS Apps console, click   and select Endpoints & SaaS Apps Settings. 
  2. Go to the Key Management tab and click edit.
  3. Select the Enable Cloud Key Management feature checkbox to click save. 

Cloud_key manage.png

Once you enable the Cloud Key Management from the inSync Management Console, you cannot disable it.

Next Step

Configure and integrate inSync with the SaaS Apps based on your organization requirements. 


  • Was this article helpful?