Bring your own key (BYOK) encryption
Last updated
Last updated
All customer data is encrypted at rest in Amazon Web Services (AWS) using an AES-256 key encryption. In addition, it is possible to add a second layer of encryption using a dedicated key for each customer.
While Nexthink typically manages these keys, you can opt for a Bring Your Own Key (BYOK) model to manage your own encryption key. To start using BYOK, you need an AWS account. You may need an external key store to manage your key outside of AWS Key Management Service (KMS). To enable BYOK, contact Nexthink Support.
This advanced security feature is subject to an additional licensed module named Security Plus.
The following personal information stored at rest is encrypted:
SID
name
distinguished name
hardware serial number BIOS
hardware serial number chassis
hardware serial number machine
hardware product ID
public IP address
local admins
SID
name
Entra ID name
Entra ID email
Entra ID distinguished name
Entra ID full name
Entra ID cloud SID
Entra ID user principal name
AD on-premises SID
Nexthink employs an envelope encryption strategy that uses two sets of keys:
Data encryption key (DEK): Encrypts the actual data
Key encryption key (KEK): Encrypts the data encryption key
Use AES-256 encryption to manage both DEK and data. In a BYOK scenario, you only manage the KEK.
By default, Nexthink manages the KEK, storing it in the AWS KMS of Nexthink’s AWS account. BYOK allows customers to store and manage the KEK in their own key store.
Here, the KEK is stored in your AWS KMS account.
Nexthink gains access to the KEK through a policy that is added to the key in AWS KMS.
If you choose to use an external key management service, connect your AWS KMS to the external key store and create a key within AWS KMS. Refer to the AWS documentation page for more information.
When a KEK or DEK rotates, newly encrypted data is secured using the updated key. Meanwhile, existing data remains encrypted with the prior key, ensuring seamless decryption processes without compromising data integrity.
Data encryption key
Rotated every 7 days
Key encryption key
Rotated annually if managed by Nexthink Defined by the customer in a BYOK model
Nexthink designed the rotating mechanism to leverage the advanced capabilities of AWS Key Management Service.
If a KEK is deleted or access to the key is no longer possible in the case of BYOK, then access to the data is only available for the lifetime of the Nexthink internal in-memory cache. Once the in-memory cache expires, access to encrypted data becomes impossible.
When the KEK is rotated, the Nexthink data acquisition system uses this new KEK for every newly generated data encryption key, e.g., upon rotation of the DEK. Following the DEK rotation period, all new data is encrypted with the new KEK. Preservation of access to old versions of the KEK is necessary, even after the DEK rotation period has passed, to allow decryption of information ingested before the KEK rotation, e.g., a device offline for an extended period.
Refer to the Bring your own key (BYOK) FAQ documentation (available to Nexthink Community users) for more information.