Skip to main content
search icon

Data managed with Bring Your Own Key (BYOK) encryption

Rewind
Updated

Important: This feature is in early access, contact your Rewind Account Manager to get access.

  • Once you install BYOK, you will not be able to disable it
  • If you have already installed Rewind for a particular account (service instance), you will not be able to use BYOK with it and will need to reach out to help@rewind.io to create a new installation with a new beginning-of-time backup
  • Your backups on Rewind will stop if Rewind loses permission to access your encryption key or if the encryption key is deleted
  • If the encryption key is deleted, and the waiting period to recover the key on AWS has passed (configurable between 7 to 30 days), your backup data will become inaccessible

Overview

Bring Your Own Key (BYOK) allows you to use an encryption key to control access to your backups stored with Rewind. This feature provides greater control over key management, its lifecycle, and helps you meet compliance requirements for data governance. Rewind currently supports BYOK with AWS Key Management System (KMS), additional KMS are being considered.

This article provides an overview of BYOK with AWS KMS, its benefits, use cases, and how to use it with Rewind.

Jump to this Step-by-step guide to setup BYOK.

Benefits of BYOK

  1. Increased Control – You have full control over encryption key generation and lifecycle management, which governs when and who has access to your stored data
  2. Regulatory Compliance – Meets specific regulatory and compliance requirements for data governance and security
  3. Enhanced Security – Your data is protected with a key generated by the Key Management System additional key, which enhances access control over your stored data
  4. Seamless Integration – Works with AWS KMS which comes with encryption key management features such as encryption key rotation, encryption key generation, permission management, and key revocation
  5. Key Revocation and Deletion – Users can revoke or delete keys when no longer needed, making stored data unreadable and inaccessible

Why use BYOK?

  • You have strict compliance requirements around data storage, access control, and governance
  • You want full control over access to your stored data at any time
  • You want to continue benefitting from Rewind’s unlimited storage offering on AWS

What Rewind products can be encrypted with BYOK?

  • These products can be encrypted with BYOK on Rewind:
    • GitHub Enterprise
    • Jira
    • Confluence
    • Bitbucket
    • Azure DevOps
    • Miro
    • Klayvio
    • Microsoft Entra ID
    • Okta
    • Mailchimp

What’s supported on Rewind

Component

Supported

Not Supported
Encryption key association
  • An encryption key can be used per single or multiple service instances
  
Organization transfers
  • No support for organization transfers
  • The ability to change the organization ID for a customer that has BYOK
Data residency change
  • BYOK is only applicable for a selected region, if a new one is required, a new setup is required
  • This happens at the organization + platform level
  • The ability to setup BYOK key in one region and change the storage to another region
Plan change
  • No support for downgrading of plans if a customer already has BYOK
  • Ability to remove BYOK if a customer decides to downgrade their plan (they must start fresh)
Data in-transit and cached data
  • Data in-transit will not be encrypted with BYOK, and will be deleted in 30 days
  • Encrypting data in-transit with BYOK
Trial customers
  • All trial customers if they request BYOK, are also eligible
  • Delineation between trial vs subscribed customers
Data storage
  • One S3 bucket per service instance
  • One S3 bucket per customer for all platforms
Migration of data
  • If a client is provisioned without BYOK and wants to move to BYOK, they will have to do a new beginning of time back-up
    • A new service instance will be created for this purpose
    • They will lose access to their previous data through the standard purge process
  • Migration of their existing data in a shared S3 bucket to their new S3 bucket
  • Ability to “remove” BYOK
Cloud Sync
  • BYOK-enabled accounts have full CloudSync capabilities, however synced data is not encrypted with the customer-provided KMS key and is encrypted in transit with TLS and at-rest with the encryption configured on the destination bucket (AWS?Azure/GCP)
  • Encryption before syncing to customer site
Exports
  • BYOK-enabled accounts have full export capabilities, however exported data is not encrypted with the customer-provided KMS key and is encrypted in transit with TLS.
  • Zipping and encrypting the file

Related to

Related articles

Need to talk to us?

Submit a request for our Customer Support or Sales team below and we'll get back to you as soon as possible!

Submit a request Contact sales