Configure Enterprise Key Management for Salesforce
Enterprise Key Management is under controlled availability. To enable this feature for your account, contact Druva Support.
If your organizational policies require you to have full control over the encryption of the data backed-up by inSync, Enterprise Key Management is the option for you. With Enterprise Key Management, you can use keys generated from your own AWS Key Management Service (KMS) account to encrypt and decrypt the data backed up by Druva inSync. This provides an additional layer of encryption over and above Druva's default data encryption.
Enterprise Key Management is available on request, hence contact Support to acquire this feature for your account.
Enterprise Key Management offers the following security benefits:
- Use keys from your own KMS account to encrypt and decrypt the data encryption key.
- Generate, revoke, rotate, and destroy the encryption keys as and when required from AWS account.
- Control access to data backed up by Druva inSync.
- Secure backed-up data.
Consider the following points before you enable this feature for your account:
- Once Enterprise Key Management is enabled for your account, you cannot revert to default Cloud Key Management.
- Enterprise Key Management encryption supersedes Cloud Key Management. Hence, Cloud Key Management gets disabled when Enterprise Key Management is enabled for your account.
Ensure the following before you enable Enterprise Key Management:
- AWS account with Key Management Service (KMS) access, to manage customer master keys
- Support has activated the Enterprise Key Management configuration for your account. Without this activation, the configuration fields do not appear on the inSync Management Console.
Enable Enterprise Key Management
Follow these steps to enable Enterprise Key Management for your organization:
- Copy the Druva's AWS account ID from the inSync Management Console:
- Login to the inSync Management Console.
- Go to gear icon > Settings and open the Key Management tab.
- Click button to copy the 12-digit numeric value of the Druva's AWS account ID.
- Save the numeric value to be used on the AWS Key Management Service (KMS) console.
- Get the key ARN from your AWS KMS account:
- Login to AWS KMS Console.
- On the menu, click Services and search for KMS. The Key Management Service (KMS) page opens.
- Click Customer managed keys from the left pane. A list of managed keys is displayed.
- Click Create key and click Symmetric key on the Key type page.
- On the Add labels page, provide the key Alias, used to identify the key and description, and click Next.
- On the Key administrators' page, select one or more administrators who can control the key. The key administrator selected here can rotate, and revoke the key that you are about to generate.
- Select Allow key administrators to delete this key to enable the delete right for the administrators.
- On the next page, click Add another AWS account. A text box is displayed. This setting defines the account with which the AWS KMS must communicate to authenticate access to the backed-up data.
- On Review and Edit policy screen, allow the following rights on the CMK for Druva inSync
- Enter the 12 digits Druva's AWS account ID on the Key Management tab of the inSync Management Console.
- Click Next to review the key policy. The page displays the permissions available for the Druva account when it accesses the key during backups and restores.
- Click Finish. The new key is generated and displayed on the AWS KMS console.
- Click the key Alias on the console to view the key details. The General configuration details are displayed as below:
- Copy the value displayed under ARN from the AWS KMS console. This key is required to enable the Enterprise Key Management on the inSync Management Console.
- Enable Enterprise Key Management from the inSync Management Console:
- Click Enable Enterprise Key Management. inSync asks for the KMS key ARN generated from the AWS KMS console.
- Copy the newly created KMS key ARN into the Update KMS key ARN dialog box and click Next. The ARN is validated and upon successful authentication, a confirmation message appears.
- Click Save.
- Click Continue and review the legal terms and conditions of enabling Enterprise Key Management.
- Click Yes, I Agree. Enterprise Key Management gets enabled for your account.
KMS key ARN is displayed on the Key Management tab, with External Cloud Key Management status as Enabled.
Update the Enterprise Encryption key
You may have to update the Enterprise Encryption key to comply with your organizational security policies. However, it is important to note that you must keep the old and new encryption keys active in your AWS KMS service until you configure the new KMS key ARN on the inSync Management Console. This ensures all the required permissions are transferred from the old key to the new encryption key before the old key is purged by the AWS KMS.
To update the Enterprise Encryption key:
- Get the new KMS key ARN using the steps provided above.
- On the Key Management tab, click Update KMS Key ARN.
- Copy the newly created KMS key ARN into the Update KMS key ARN dialog box and click Save. The KMS Key ARN upon successful validation is updated on the inSync Management Console.
Note: After successfully enabling Enterprise Key Management, if the key is disabled in AWS KMS or the AWS account is disabled, the backup and restore will fail.