BYOK with AWS¶
How to configure Bring-Your-Own-Key encryption with Amazon Web Services KMS?¶
This section explains how to create a cryptographic key in Amazon Web Services (AWS) KMS and grant access to this key to Afi Backup. The guide assumes that you have an Amazon Web Services account with enabled billing.
Select AWS region¶
To start a key configuration, log in to your AWS portal and select the AWS key region based on your Afi datacenter region:
us-east-2
for the USA;eu-central-1
for the EU;eu-west-2
for the United Kingdom;ap-southeast-2
for Australia;ca-central-1
for Canada.
Create AWS KMS Encryption Key¶
When the region is selected, go to KMS → Customer managed keys and click on Create a Key, then follow the steps below:
Step 1 - select Symmetric key that will be used to Encrypt and decrypt, leave Advanced options as default:
Step 2 - specify AFI-BYOK as the key alias and BYOK encryption key for Afi Backup as the key description:
Step 3 - leave key administrative permissions as default:
Step 4 - add the key usage permission for Afi AWS account 201720642051:
Step 5 - review key settings and click on Finish button:
After a key is created, copy its ARN for further configuration on the Afi side. We also advise customers to enable the automatic key rotation once per year on AWS side.
Create Afi encryption key protected with AWS KMS¶
Create an AWS KMS key secret (use the key's ARN from Step 5 as the Key ID) in the Afi portal on the Service → Settings → SLA tab and select it as an encryption key in your backup policies.