Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 1 Overview

You can bring your own keys (BYOK) to encrypt the data in the Azure Recovery Services vaults. These keys will be used to encrypt all the data stored for backup for all items. By default, the system uses "platform-managed keys". The custom keys that you provide are referred to as "customer-managed keys".

This provides you with more granular control over the encryption process. This also ensures that only you as a customer control the data encryption and decryption. It is highly recommended for any sensitive data that you are protecting in the cloud.

Please note that:

• You should configure the keys before protecting any items in the vault
• Once you have configured the keys these can not be changed afterward.
• The Recovery Services vault can be encrypted only with keys stored in an Azure Key Vault, located in the same region.
• Also, keys must be RSA 2048 keys only and should be in the enabled state.

To configure your vault to encrypt with customer-managed keys, the below steps must be followed. These steps should be followed in this order only:

1. Enable managed identity for your Recovery Services vault
2. Assign permissions to the vault to access the encryption key in the Azure Key Vault
3. Enable soft-delete and purge protection on the Azure Key Vault
4. Assign the encryption key to the Recovery Services vault

We will look at these steps in detail in the following posts.