Files uploaded to Egnyte are encrypted with a key that is unique to each customer. By default, Egnyte manages this encryption key and follows best practices to secure, store, and manage these keys for our customers. However, some customers want a greater level of control where they can manage, rotate and store their encryption keys themselves.
Egnyte Key Management SM (EKM) is an option that allows customers to manage encryption keys themselves, either using a 3rd party cloud service or their own on-premises infrastructure. External key management systems typically utilize HSM (Hardware Security Modules) for secure management, storage, and rotation of encryption keys. Egnyte currently integrates with the following external key management systems customers can select from:
- Microsoft Azure Key Vault
- Amazon AWS CloudHSM
- SafeNET KeySecure (on-premises)
- SafeNET Luna SA (on-premises)
Managing your own keys can provide an additional layer of security and privacy, but with these benefits also come responsibilities:
- If you lose your encryption keys, you will not be able to decrypt any data encrypted with those lost keys
- If your cloud or on-premises key management provider is unavailable, you will not be able to decrypt your data until the provider is back again
Before configuring your Egnyte account with an external key management solution, you should work with your your key management provider to ensure that you are following best practices for protecting your keys.
EKM is available for Enterprise plans only. Contact Egnyte if you’d like to add this feature to your account.
How it Works
When configured to use an external key management system, Egnyte employs hierarchical key management — so Egnyte’s encryption key will be encrypted with the external key you manage. This additional layer of protection ensures that no one can access your data unless they have access to both the Egnyte key and the external key.
Egnyte creates a unique encryption key (the “Egnyte key”) for every customer. If you use EKM, you’ll need to get a separate encryption key from your external key management system (the “external key”) as well.
Once you configure Egnyte Key Management in the Web UI, the Egnyte key will be encrypted with the external key and stored on your key management provider cloud or your on-premises HSM. Anytime you upload or download a file, Egnyte will request the external key from your key management system and use it to decrypt the Egnyte key. This decrypted Egnyte key is then used to encrypt or decrypt the specific file.
Note that the Egnyte key is never stored as such — this key will only be stored in its encrypted format using the external key.
To ensure high performance and reduce the number of requests to your key management system, you can specify a time period during which Egnyte will cache the external key. At your preference, the external key can be cached for time periods between 5 minutes to an hour.
Importantly, you can also rotate the external key on-demand. Refer to the section below for instructions on rotating your external key.
You can configure EKM in the Security & Authentication section of Configuration in the “Enterprise Key Management” subsection. The configuration depends on your encryption key provider.
Microsoft Azure Key Vault
Microsoft Azure Key Vault can be configured directly within Egnyte’s Web UI. Note that all fields are required, and you will need to get most of this information from your Azure Key Vault account.
If you are using a different key management provider (Amazon AWS CloudHSM or on-premises options SafeNET KeySecure and SafeNET Luna SA), you must first contact Egnyte’s customer support. The configuration for these providers requires us to set up a secure link between Egnyte’s data center and your key management system.
Once this is done, you will be able to change the EKM settings yourself from the Egnyte Web UI.
When using an external key management system, it is a best practice to rotate your encryption key on a regular basis. The procedure in each system varies slightly, but the main steps are the same:
1. Create a new version of the key, making sure to keep the previous key version enabled
2. Enter the new key version in the Web UI — Egnyte will start using the new version of the key immediately
3. After the cache duration configured has expired, you can safely disable the original version of the key in your key management system
Disabling Egnyte Key Management
To disable EKM, follow the steps below:
1. First, switch the “Encryption key provider” to “Egnyte”
2. If you are using a provider other than Microsoft Azure Key Vault, a secure connection will be in place between Egnyte and your encryption management system. You will need to contact Egnyte Support to remove this connection
Egnyte has several safeguards in place to help you monitor the use of EKM in your account. Once configured, you’ll see a status field in the EKM section of your account that indicates whether your key is available.
If Egnyte is unable to retrieve the external key on any upload or download (e.g. if your key management service is unavailable), that operation will fail. In this scenario, your users will see an error indicating that Egnyte was unable to access your external key.
If this happens, we will also send an email immediately to notify the Egnyte account admins. Once access to the key is restored, we will send another email to notify them that the issue has been resolved.