Bring Your Own Key (BYOK) Configuration

Use the following steps to change AWS master keys.

1. In your AWS account, add the following permission to KMS key that is intended for use by DSV. This provides access to DSV to encrypt and decrypt using these keys.

   Copy

               "Sid": "Allow use of the key",
               "Effect": "Allow",            "Principal": {                "AWS": "arn:aws:iam::<delinea dsv aws account>:root"            },            "Action": [                "kms:Encrypt",                "kms:Decrypt",                "kms:ReEncrypt*",                "kms:GenerateDataKey*",                "kms:DescribeKey"            ],            "Resource": "*"        }

2. In the API/CLI, update the master key arn in DSV.

• Using the API:

  PUT v1/config/keys

  Copy

   {
   "keyprovider" : "AWS",  "primaryKey" : "arn:aws:kms:us-east-1:<your aws account>:key/<keyid>",  "secondaryKey": "arn:aws:kms:us-west-1:<your aws account>:key/<keyid>"}

• Using the CLI:

  dsv byok update --primary-key arn:aws:kms:us-east-1:<your aws account>:key/<keyid> --secondary-key arn:aws:kms:us-west-1:<your aws account>:key/<keyid>
  

  To update these keys, the user needs to have proper authorization to access the v1/config/keys API.

Verify Key Changes in Your AWS Account: Assuming CloudTrail is Enabled

1. In your AWS account, go to CloudTrail.
2. In CloudTrail, click Event history.
3. In Lookup attributes, choose EventName=Encrypt.
4. You should see DSV making an API call to your KMS keys.

After these steps, everything should work as before, but now the encryption in the backend will use the new keys.