Support Centre

Bring Your Own Key(s) (BYOK) What, why and how to get started in Sherpany

This article describes the details of BYOK with the Sherpany application and the required way of configuring the BYOK, here you will learn :

  • How is Sherpany using encryption keys,
  • What is Bring Your Own Key (BYOK)
  • Which migration from Sherpany managing keys to BYOK or from BYOK to Sherpany managing keys are supported
  • What is the required setup for BYOK
  • If Sherpany supports different ways of configuring BYOK
  • If there is another way of removing encryption keys from Sherpany

How is Sherpany using encryption keys

The Sherpany application is using encryption keys to encrypt/decrypt all the documents uploaded to the application. It is an additional security measure to ensure that no one can access document content without also having access to the encryption keys.

What is Bring Your Own Key (BYOK) ?

Sherpany manages the keys to the documents on Sherpany in Hashicorp Vault. With Bring-your-own-key, the key management for the files will be under the customer's control and will not be managed by Sherpany.

BYOK can bring several challenges:

  • The BYOK vault is down and therefore, the documents can not be displayed in Sherpany as they can not be decrypted
  • Added complexity as the infrastructure is managed by multiple organisations
  • Problems with the network connection and therefore, the Sherpany app can not get the keys to decrypt documents
  • The customer loses all keys because of a missing backup and therefore, the documents in Sherpany can not be decrypted anymore

With BYOK, the customer is responsible for ensuring that whenever needed Sherpany can create, retrieve and store encryption keys required for document handling in the Sherpany application.

Important  

There will always be a moment when the keys are on our servers. They are on our RAM for some milliseconds.

App servers will be requesting keys from the customer's Vault.

Which migration from Sherpany managing keys to BYOK or from BYOK to Sherpany managing keys are supported?

Sherpany supports migration in both ways. It would be possible to start using Sherpany without BYOK and implement it later. It would also be possible to do it the other way around: start using Sherpany with BYOK and later skip it and have all the data in our data center.

What is the required setup for BYOK?

The easiest and most common way is that the customer simply setting up their own Hashicorp Vault fully under his own control.

Sherpany will require access, either directly or through the encrypted tunnel, to the customer's Vault in order to create, retrieve and store encryption keys.

Sherpany can help with setting and configuring Hashicorp Vault but Sherpany can also set it up for the customer in the infrastructure of Sherpany and provide full control to the customer.

You can find all the details about Hashicorp Vault in their documentation: Documentation | Vault | HashiCorp Developer 

The Vault resource is configured in Sherpany on the room level so there is a way to use separated Vaults per room if needed.

Does Sherpany supports different ways of configuring BYOK?

Yes, we do also support the configuration with AWS KMS. If you prefer another solution, we are always happy to hear your requirements/limitations and work with you on the custom solution which will work both for you and Sherpany.

Is there another way of removing encryption keys from Sherpany?

Sherpany provides a way of removing all encryption keys for a whole organisation through the Admin Portal (management console).

Information  

Deleting the keys will trigger the deletion of all documents associated with the deleted keys. As documents are decrypted on the server, all documents will be available on native applications (iOS, Android, Windows) until the next sync or app deletion.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.