Bring your own key (BYOK) encryption

All customer data is encrypted at rest in Amazon Web Services (AWS) using an AES-256 key encryption. In addition, it is possible to add a second layer of encryption using a dedicated key for each customer.

While Nexthink typically manages these keys, you can opt for a Bring Your Own Key (BYOK) model to manage your own encryption key. To start using BYOK, you need an AWS account. You may need an external key store to manage your key outside of AWS Key Management Service (KMS). To enable BYOK, contact Nexthink Support.

This advanced security feature is subject to an additional licensed module named Security+.

Scope of encrypted data

The following personal information stored at rest is encrypted:

  • SID

  • name

  • distinguished name

  • hardware serial number BIOS

  • hardware serial number chassis

  • hardware serial number machine

  • hardware product ID

  • public IP address

  • local admins

  • SID

  • name

  • Entra ID name

  • Entra ID email

  • Entra ID distinguished name

  • Entra ID full name

  • Entra ID cloud SID

  • Entra ID user principal name

  • AD on-premises SID

Encryption algorithm

Nexthink employs an envelope encryption strategy that uses two sets of keys:

  • Data encryption key (DEK): Encrypts the actual data

  • Key encryption key (KEK): Encrypts the data encryption key

Use AES-256 encryption to manage both DEK and data. In a BYOK scenario, you only manage the KEK.

BYOK options

By default, Nexthink manages the KEK, storing it in the AWS KMS of Nexthink’s AWS account. BYOK allows customers to store and manage the KEK in their own key store.

Using AWS Key Management Service (Recommended)Using an external key store

Here, the KEK is stored in your AWS KMS account.

Nexthink gains access to the KEK through a policy that is added to the key in AWS KMS.

If you choose to use an external key management service, connect your AWS KMS to the external key store and create a key within AWS KMS. Refer to the AWS documentation page for more information.

Key rotation

When a KEK or DEK rotates, newly encrypted data is secured using the updated key. Meanwhile, existing data remains encrypted with the prior key, ensuring seamless decryption processes without compromising data integrity.

Key typeRotation period

Data encryption key

Rotated every 7 days

Key encryption key

Rotated annually if managed by Nexthink Defined by the customer in a BYOK model

Nexthink designed the rotating mechanism to leverage the advanced capabilities of AWS Key Management Service.

If a KEK is deleted or access to the key is no longer possible in the case of BYOK, then access to the data is only available for the lifetime of the Nexthink internal in-memory cache. Once the in-memory cache expires, access to encrypted data becomes impossible.

When the KEK is rotated, the Nexthink data acquisition system uses this new KEK for every newly generated data encryption key, e.g., upon rotation of the DEK. Following the DEK rotation period, all new data is encrypted with the new KEK. Preservation of access to old versions of the KEK is necessary, even after the DEK rotation period has passed, to allow decryption of information ingested before the KEK rotation, e.g., a device offline for an extended period.

Refer to the Bring your own key (BYOK) FAQ documentation (available to Nexthink Community users) for more information.

Last updated