Configuration
You can configure Enterprise Key Management in the Security & Authentication section of the Configuration tab within the Enterprise Key Management sub-section.
The configuration depends on your encryption key provider.
If you configure a key to be managed externally, you'll need to be extremely cautious when changing settings or when disabling the key. Accidentally deleting the key or making it unavailable for your Egnyte domain can make it impossible to regain access to your Egnyte data.
Azure Key Vault
Microsoft Azure Key Vault can be configured directly within Egnyte’s WebUI. All of fields are required and you will need to get most of this information from your Azure Key Vault account. Find detailed instructions for setting this up here.
Amazon Web Services (AWS) Key Management Service (KMS)
Amazon Web Services will require the following items prior to configurating the Egnyte domain:
- Customer needs to use symmetric key
- AWS KMS key, by default, you get a KMS key for symmetric encryption.
- A symmetric encryption KMS key represents a 256-bit AES-GCM encryption key
- Key usage is ENCRYPT_DECRYPT
Find more information of the above requirements here.
Once all the required items are acquired, input them into the Amazon KMS option in the Enterprise Key Management section to complete the configuration.
Additional Configuration Options
Cache Duration
To ensure high performance and reduce the number of requests to your key management system, you can specify a time period during which Egnyte will cache the external key. At your preference, the external key can be cached for time periods between 5 minutes to an hour.
The Cache duration is defaulted to 5 minutes.
- Navigate to the Enterprise Key Management section of the Security & Authentication page.
- Select the new duration from the Cache duration drop-down.
- Click Save.
Key Rotation
When using an external key management system, it is a best practice to rotate your encryption key on a regular basis. The procedure in each system varies slightly, but the main steps are the same:
- Create a new version of the key, making sure to keep the previous key version enabled.
-
Enter the new key version in the Web UI. Egnyte will start using the new version of the key immediately.
- After the cache duration configured has expired, you can safely disable the original version of the key in your key management system.