Bring Your Own Key (BYOK) Configuration

Changing AWS KMS keys

Follow these steps to change AWS KMS keys:

  1. Access your AWS account.

  2. Add the following permissions to the KMS key which is intended for use by DSV.

    This grants access to DSV to encrypt and decrypt using this key.
    Copy 
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<delinea dsv aws account>:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
      ],
      "Resource": "*"
    }

  3. In the API or the CLI, update the master key arn in DSV:

    • Option one: Use the API with a PUT request to v1/config/keys:

      Copy 
      {
        "keyprovider": "AWS",
        "primaryKey": "arn:aws:kms:us-east-1:<your-aws-account-id>:key/<primary-key-id>",
        "secondaryKey": "arn:aws:kms:us-west-1:<your-aws-account-id>:key/<secondary-key-id>"
      }

    • Option two, Use the CLI command:

      Copy 
      dsv byok update \
        --primary-key arn:aws:kms:us-east-1:<your-aws-account-id>:key/<primary-key-id> \
        --secondary-key arn:aws:kms:us-west-1:<your-aws-account-id>:key/<secondary-key-id>
To update these keys, the user needs to have proper authorization to access the v1/config/keys API.

Verifying Key Changes in Your AWS Account

Assuming CloudTrail is enabled, do the following:

  1. In your AWS account, go to CloudTrail.
  2. In CloudTrail, click Event history.
  3. In Lookup attributes, choose EventName=Encrypt.
  4. You should see DSV making API calls to your KMS keys.

alt

alt

After these steps, everything should work as intended, with the encryption in the back-end using the new keys going forward.