To enhance data security, meet compliance requirements, and prevent unauthorized access, Cloud Backup provides KMS-based encryption. This topic describes how to use this feature.
Introduction
KMS-based encryption allows you to use Key Management Service (KMS) to manage your own encryption keys and encrypt your backup vaults.
Once you enable KMS-based encryption for a backup vault, you cannot change the customer master key (CMK).
If you disable or delete the CMK, the data in the encrypted backup vault cannot be recovered.
You must plan and create a CMK before you configure encryption for a backup vault. For more information, see Create a CMK.
This feature is not available for free backup policies.
Cloud Backup supports only the default key.
KMS-based encryption supports key rotation. Key rotation does not affect backup or recovery operations.
For a list of supported regions, see Features available in each region.
Procedure
Prepare a CMK.
Before you use KMS-based encryption, you must create a customer master key (CMK) and obtain its key ID. For more information, see Create a CMK.
Enable KMS-based encryption by setting the Vault Encryption Method to KMS and specifying the KMS KeyId. To create an encrypted backup vault, select the Create Backup Vault tab. Enter a Backup Vault Name and a Backup Vault Resource Group. For Vault Encryption Method, select KMS. Then, select the checkbox to consent to the creation of a service-linked role and enter your CMK's ID in the KMS KeyId field. Important: After you enable KMS-based encryption, do not delete or disable the CMK. This action will prevent all backup and recovery operations for the vault.
For example, if you create a backup vault named doctest, the Storage Vaults page will show the Encryption based on KMS tag in the Storage Vault Type column for that vault.