How to Set Up Bring Your Own Key (BYOK)

This article goes through the steps required to set up Bring Your Own Key (BYOK) on Rewind using AWS Key Management Service.

Before getting started

Here are a few things to consider before setting up Bring Your Own Key (BYOK):

• Contact your Account Manager to enable BYOK for your organization if it has not been done yet.
• AWS Key Management Service (KMS) is currently the only supported provider.
  Support for additional KMS options is on the horizon—check with your Account Manager for updates.
• You must be an Organization Owner or Organization Admin in Rewind to configure BYOK.

How to set up Bring Your Own Key (BYOK) in Rewind

To enable BYOK in Rewind for the first time, you'll follow a two-step process:

• Create a BYOK configuration in Rewind using your AWS Key Management Service (KMS) key.
• Apply your BYOK configuration to your Rewind backup integrations so they use your key for encryption.

Create a BYOK configuration in Rewind

To create a new BYOK configuration in Rewind:

1. Go to Account Settings → Security.
2. Under “Bring Your Own Key (BYOK)”, click Setup.
3. In the dropdown menu, select “Create a new configuration” and click Next.
   Note: If you have a configuration setup previously, selecting it will allow you to test whether it’s working as expected.
4. Select the region in which you would like your data to be stored. Once you have selected a region, you cannot change it later.
5. Click on “Generate KMS configuration.” This will launch your AWS Cloudformation console, where you can input your desired configuration details. We have pre-filled this page with information relevant to Rewind. Once you are done, click on “Create stack” on the console.
6. Copy and paste the Main ARN into the field in Rewind. Validate that the region detected in the ARN matches with the region that you selected in Step 4, and then click Next.
7. At this point, Rewind will run tests in the background to ensure that the system can access and use the key to communicate with your AWS KMS.
8. To finish the setup, click Done.

Apply a BYOK configuration to your Rewind account(s)

You will need to individually link each account to your Bring Your Own Key configuration. A single configuration can be applied to one or more accounts.

To link a BYOK configuration to one of your Rewind accounts:

1. From the Integrations list, select the platform, then click the account name.
2. Click Setup BYOK.
3. From the dropdown list, select the BYOK configuration that you would like to use for this account. If you would like to set up a new configuration, click “Create a new configuration.” You will be redirected to the Account Settings, where you can create a new configuration, as outlined in the previous section.
4. Click Next.
5. At this point, Rewind will run tests in the background to ensure that the system can access and use the key to communicate with your AWS KMS.
6. Once the test is complete, you will receive confirmation that the account has been linked to the BYOK configuration.
7. To finish the setup, click Done. Now that BYOK is enabled for the account, you will see the Bring Your Own Key label.

What happens next

• Every night, Rewind will run a test to make sure that access to the keys is retained.
• If Rewind cannot access your key at any time, you will receive an e-mail notification, and a warning icon will appear beside the account.
• If you would like to make any changes to your BYOK configurations, please consult help@rewind.com before applying the changes on AWS KMS.
• Please ensure that Rewind retains access permission to each key configuration and that the key(s) remain active. Otherwise, your backups will stop.
• To learn more about Rewind’s Bring Your Own Key (BYOK) solution, including what data is supported, click here.

Need More Help?

If you have questions or need assistance, reach out to help@rewind.com, or submit a request. We’re here to help!