This article describes the details of BYOK with the Sherpany application and the required way of configuring the BYOK, here you will learn :
- How Sherpany uses encryption keys
- What is Bring Your Own Key (BYOK)
- Which migration from Sherpany managing keys to BYOK or from BYOK to Sherpany managing keys are supported
- What is the required setup for BYOK
- If Sherpany supports different ways of configuring BYOK
- If there is another way of removing encryption keys from Sherpany
How Sherpany uses encryption keys?
The Sherpany application is using encryption keys to encrypt/decrypt all the documents uploaded to the application. It is an additional security measure to ensure that no one can access document content without also having access to the encryption keys.
What is Bring Your Own Key (BYOK) ?
Sherpany manages the keys to the documents on Sherpany in Hashicorp Vault. With Bring-your-own-key, the key management for the files will be under your control and will not be managed by Sherpany.
- BYOK can bring several challenges:
- The BYOK vault is down
- Added complexity
- Problems with the network connection
The customer loses all keys because of no backup
You are responsible for ensuring that whenever needed Sherpany can create, retrieve and store encryption keys required for document handling in the Sherpany application.
Important
There will always be a moment when the keys are on our servers. They are on our RAM for some milliseconds.
App servers will be requesting keys from your Vault.
Which migration from Sherpany managing keys to BYOK or from BYOK to Sherpany managing keys are supported?
Sherpany supports migration in both ways. It would be possible to start using Sherpany without BYOK and implement it later. It would also be possible to do it the other way around: start using Sherpany with BYOK and later skip it and have all the data in our data center.
What is the required setup for BYOK?
The easiest and most common way is to simply set up your own Hashicorp Vault fully under your control.
Sherpany will require access, either directly or through the encrypted tunnel, to your Vault in order to create, retrieve and store encryption keys.
Sherpany can help with setting and configuring Hashicorp Vault but we can also set it up for you in our infrastructure and provide full control to you.
You can find all the details about Hashicorp Vault in their documentation: Documentation | Vault | HashiCorp Developer
The Vault resource is configured in Sherpany on the room level so there is a way to use separated Vaults per room if needed.
Does Sherpany supports different ways of configuring BYOK?
Yes, we do also support the configuration with AWS KMS. If you prefer another solution, we are always happy to hear your requirements/limitations and work with you on the custom solution which will work both for you and Sherpany.
Is there another way of removing encryption keys from Sherpany?
Sherpany provides a way of removing all encryption keys for a whole organisation through the Admin Portal (management console).
Information
Deleting the keys will trigger the deletion of all documents associated with the deleted keys. As documents are decrypted on the server, all documents will be available on native applications (iOS, Android, Windows) until the next sync or app deletion.