Bring your own key (BYOK) encryption
All customer data is encrypted at rest in AWS using an AES-256 key encryption. In addition, it is possible to add a second layer of encryption using a dedicated key per customer.
While Nexthink typically manages these keys, you can opt for a bring your own key (BYOK) model to manage your own encryption key. To start with BYOK, you need an Amazon Web Services (AWS) account. Optionally, you may also require an external key store to manage your key outside of AWS Key Management Service (KMS). To enable BYOK, contact Nexthink Support.
This advanced security feature is subject to an additional licensed module named Security+.
Scope of Encrypted Data
The following personal information stored at rest is encrypted:
Device | User |
---|---|
|
|
Encryption algorithm
Nexthink employs an envelope encryption strategy that uses two sets of keys:
Data encryption key (DEK): Encrypts the actual data.
Key encryption key (KEK): Encrypts the data encryption key.
AES-256 encryption is used for both the DEK and data. In a BYOK scenario, you manage the key encryption key.
BYOK options
By default, the key encryption key is managed by Nexthink and stored in the AWS KMS of Nexthink’s AWS account. BYOK allows customers to store and manage the KEK in their own key store.
Using AWS Key Management Service Recommended | Using an external key store |
---|---|
Here, the KEK is stored in your AWS KMS account. Nexthink gains access to the KEK through a policy that is added to the key in AWS KMS. | You may also choose to use an external key management service. Connect your AWS KMS to the external key store and create a key within AWS KMS. Visit the AWS documentation page to learn more. |
Key rotation
When a KEK or DEK rotates, newly encrypted data is secured using the updated key. Meanwhile, existing data remains encrypted with the prior key, ensuring seamless decryption processes without compromising data integrity.
Key type | Rotation period |
---|---|
Data encryption key | Rotated every 30 days. |
Key encryption key | Rotated annually if managed by Nexthink. |
Nexthink designed the rotating mechanism to leverage the advanced capabilities of the AWS Key Management Service.