To ensure your data backups are secure, they must be encrypted. This encryption relies on a unique encryption key, known as E-Key. A crucial aspect of security is that E-Key is never stored anywhere, not by Druva and not on the customer system.
How an E-Key is generated?
The E-Key is dynamically generated each time it is needed. This is how it works:
User String: A unique string is stored in your account (specifically in the Parameter Store Name Prefix field).
Druva String: Another string is securely stored within Druva’s database.
Combined for E-Key: Both of these strings are brought together to decrypt Druva’s string using the User String. Neither string alone can be used to decrypt your data.
When a backup of your account is performed, the user string is accessed to generate the E-Key. To ensure high availability and reliability, an attempt is made to retrieve this string from the Primary Region first. If it's not accessible there, then the Secondary Region is checked. As long as the string is found in either region, the E-Key can be successfully generated, allowing your backup to proceed securely.
Perform the following to generate an E-Key:
Log in to the AWS Workloads Management Console and navigate to the account for which you wish to configure storage and encryption. Click the gear icon on the top navigation bar.
Click Druva Storage to be directed to the Storage and Encryption page.
Click the Encryption tab.
Click Authorise.
📝 Note
Encryption keys are required to encrypt your backups. Without this your backups cannot be taken. To create these keys access to parameter store is required in one of your AWS accounts. It is recommended to add multiple authorizations.
In the Authorise dialog, select the account you want to authorise. Click Next.
In the E-Key Settings tab provide the following:
Parameter Store Name: Provide name to the account that will be used to store a string. The string will be used to derive an encryption key.
Primary Region: Select the primary region.
During backup of the account, the string will be accessed first from the primary region. If it is not present, then Secondary Region will be accessed.
Therefore, if the string is found in any one of the primary or secondary regions, the E-Key can be derived.
Secondary Region (optional): Select the secondary region.
During backup of the account, if the string is not present in the primary region, the secondary region will be accessed.
Authorization: Select to authorize the Encryption Keys.
Click Save. The key is created.
Click Rotate Keys to replace your current encryption key with a new one. This security measure limits the risk of a compromised key and shortens the window of time an attacker has to access your data. Click Delete to remove a key.
Click Add Authorization to add more keys.
📝 Note
If you have multiple accounts, we recommend a separate authorization key for each account.