BYOK Encryption

All the data contained in the Assets is encrypted at rest and in transit using Twinit-managed keys in Key Management in Azure. However, you can also choose to use BYOK encryption to encrypt the Assets data with keys hosted in your own Azure account. With BYOK encryption, you will have greater control over the management of your keys and will be able to revoke access at any time.

There are many benefits of BYOK encryption:

  • Reduced risk: BYOK adds another layer of protection for sensitive data.

  • Improved data governance: Access to encryption keys hosted in your Azure account can be logged and monitored.

  • Increased control: You can revoke access to your encryption keys without vendor reliance.

Our BYOK approach

We support encryption using encryption keys generated and hosted in your Azure account via the Key Management in Azure.

To enable BYOK encryption for the Assets data stored in the backups, you will need to setup an Azure account and a specific service role. This account must be solely dedicated to the Twinit app.

Azure setup instructions

Azure Key Vault Setup with Vault Access Policy

  1. Create Azure Key Vault

    1. Log in to the Azure Portal.

    2. Create a new Key Vault with the following details:

      1. Name: s desired.

      2. Region: West Europe

      3. Permission Model: Vault access policy

  2. Generate/Import Key

    1. In the left panel, expand "Objects".

    2. Click on "Keys".

    3. Click the "Generate/Import" button.

    4. Enter a name for your key as desired.

    5. Click Create

  3. Run PowerShell Command

Execute the following PowerShell command:

$applicationId = "4ab9f542-0305-4d62-94c9-69786fb5d1ec" $tenantId = "18a5c4b2-84a8-4acb-8db8-fc7073207415" # Replace with your Key Vault name $keyVaultName = "<your-key-vault-name>" # Create the service principal object $servicePrincipal = New-AzADServicePrincipal -ApplicationId $applicationId # Assign the role to the service principal New-AzRoleAssignment -ApplicationId $applicationId ` -RoleDefinitionName "Key Vault Crypto Officer" ` -Scope "/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$((Get-AzKeyVault -VaultName $keyVaultName).ResourceGroupName)/providers/Microsoft.KeyVault/vaults/$keyVaultName" Write-Host "Service Principal added and role assigned successfully."
  1. Configure Access Policies

    1. Go to the registered vault key.

    2. Click on "Access Policies".

    3. Click "Create".

    4. Check "Wrap key" and "Unwrap key".

    5. Click "Next".

    6. Search: 4ab9f542-0305-4d62-94c9-69786fb5d1ec

    7. "Twinit assets Backup & Migration" should appear. Click on it.

    8. Click "Next" twice.

    9. Click "Create".

After completing the setup, please contact our support team and provide the following information:

  1. Key Vault Name

  2. Key Name

  3. TenantID

After enabling the BYOK, you will see the details in the Setting/BYOK Encryption from the app:

image-20240815-123033.png
Enabled BYOK via the Settings

If the connection with the key management is lost or the key was disabled, the backup will be done with the Twinit key. Therefore, such backups and also all the backups taken before enabling BYOK cannot be restored with the own key!