BYOK Encryption
All the data contained in the Assets is encrypted at rest and in transit using Twinit-managed keys in Key Management in Azure. However, you can also choose to use BYOK encryption to encrypt the Assets data with keys hosted in your own Azure account. With BYOK encryption, you will have greater control over the management of your keys and will be able to revoke access at any time.
There are many benefits of BYOK encryption:
Reduced risk: BYOK adds another layer of protection for sensitive data.
Improved data governance: Access to encryption keys hosted in your Azure account can be logged and monitored.
Increased control: You can revoke access to your encryption keys without vendor reliance.
Our BYOK approach
We support encryption using encryption keys generated and hosted in your Azure account via the Key Management in Azure.
To enable BYOK encryption for the Assets data stored in the backups, you will need to setup an Azure account and a specific service role. This account must be solely dedicated to the Twinit app.
Azure setup instructions
Azure Key Vault Setup with Vault Access Policy
Create Azure Key Vault
Log in to the Azure Portal.
Create a new Key Vault with the following details:
Name: s desired.
Region: West Europe
Permission Model: Vault access policy
Generate/Import Key
In the left panel, expand "Objects".
Click on "Keys".
Click the "Generate/Import" button.
Enter a name for your key as desired.
Click Create
Run PowerShell Command
Execute the following PowerShell command:
$applicationId = "4ab9f542-0305-4d62-94c9-69786fb5d1ec"
$tenantId = "18a5c4b2-84a8-4acb-8db8-fc7073207415"
# Replace with your Key Vault name
$keyVaultName = "<your-key-vault-name>"
# Create the service principal object
$servicePrincipal = New-AzADServicePrincipal -ApplicationId $applicationId
# Assign the role to the service principal
New-AzRoleAssignment -ApplicationId $applicationId `
-RoleDefinitionName "Key Vault Crypto Officer" `
-Scope "/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$((Get-AzKeyVault -VaultName $keyVaultName).ResourceGroupName)/providers/Microsoft.KeyVault/vaults/$keyVaultName"
Write-Host "Service Principal added and role assigned successfully."
Configure Access Policies
Go to the registered vault key.
Click on "Access Policies".
Click "Create".
Check "Wrap key" and "Unwrap key".
Click "Next".
Search: 4ab9f542-0305-4d62-94c9-69786fb5d1ec
"Twinit assets Backup & Migration" should appear. Click on it.
Click "Next" twice.
Click "Create".
After completing the setup, please contact our support team and provide the following information:
Key Vault Name
Key Name
TenantID
After enabling the BYOK, you will see the details in the Setting/BYOK Encryption from the app:
If the connection with the key management is lost or the key was disabled, the backup will be done with the Twinit key. Therefore, such backups and also all the backups taken before enabling BYOK cannot be restored with the own key!