Skip to main content
Skip table of contents

Bring your own key (BYOK) encryption

All customer data is encrypted at rest in AWS using an AES-256 key encryption. In addition, it is possible to add a second layer of encryption using a dedicated key per customer.

While Nexthink typically manages these keys, you can opt for a bring your own key (BYOK) model to manage your own encryption key. To start with BYOK, you need an Amazon Web Services (AWS) account. Optionally, you may also require an external key store to manage your key outside of AWS Key Management Service (KMS). To enable BYOK, contact Nexthink Support.

This advanced security feature is subject to an additional licensed module named Security+. 

Scope of Encrypted Data

The following personal information stored at rest is encrypted:



  • SID

  • name

  • distinguished name

  • hardware serial number BIOS

  • hardware serial number chassis

  • hardware serial number machine

  • hardware product ID

  • public IP address

  • local admins

  • SID

  • name

  • Entra ID name

  • Entra ID email

  • Entra ID distinguished name

  • Entra ID full name

  • Entra ID cloud SID

  • AD on-premises SID

Encryption algorithm

Nexthink employs an envelope encryption strategy that uses two sets of keys:

  • Data encryption key (DEK): Encrypts the actual data.

  • Key encryption key (KEK): Encrypts the data encryption key.

AES-256 encryption is used for both the DEK and data. In a BYOK scenario, you manage the key encryption key.

BYOK options

By default, the key encryption key is managed by Nexthink and stored in the AWS KMS of Nexthink’s AWS account. BYOK allows customers to store and manage the KEK in their own key store.

Using AWS Key Management Service Recommended

Using an external key store

Here, the KEK is stored in your AWS KMS account.

Nexthink gains access to the KEK through a policy that is added to the key in AWS KMS.

You may also choose to use an external key management service. Connect your AWS KMS to the external key store and create a key within AWS KMS. Visit the AWS documentation page to learn more.

Key rotation

When a KEK or DEK rotates, newly encrypted data is secured using the updated key. Meanwhile, existing data remains encrypted with the prior key, ensuring seamless decryption processes without compromising data integrity.

Key type

Rotation period

Data encryption key

Rotated every 30 days.

Key encryption key

Rotated annually if managed by Nexthink.
Defined by the customer in a BYOK model.

Nexthink designed the rotating mechanism to leverage the advanced capabilities of the AWS Key Management Service.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.