Bring your own key (BYOK) encryption
Last updated
Last updated
All customer data is encrypted at rest in Amazon Web Services (AWS) using an AES-256 key encryption. In addition, it is possible to add a second layer of encryption using a dedicated key for each customer.
While Nexthink typically manages these keys, you can opt for a Bring Your Own Key (BYOK) model to manage your own encryption key. To start using BYOK, you need an AWS account. You may need an external key store to manage your key outside of AWS Key Management Service (KMS). To enable BYOK, contact Nexthink Support.
This advanced security feature is subject to an additional licensed module named Security Plus.
The following personal information stored at rest is encrypted:
| Device | User |
|---|---|
|
|
Nexthink employs an envelope encryption strategy that uses two sets of keys:
Data encryption key (DEK): Encrypts the actual data
Key encryption key (KEK): Encrypts the data encryption key
Use AES-256 encryption to manage both DEK and data. In a BYOK scenario, you only manage the KEK.
By default, Nexthink manages the KEK, storing it in the AWS KMS of Nexthink’s AWS account. BYOK allows customers to store and manage the KEK in their own key store.
| Using AWS Key Management Service (Recommended) | Using an external key store |
|---|---|
Here, the KEK is stored in your AWS KMS account. Nexthink gains access to the KEK through a policy that is added to the key in AWS KMS. | If you choose to use an external key management service, connect your AWS KMS to the external key store and create a key within AWS KMS. Refer to the AWS documentation page for more information. |
When a KEK or DEK rotates, newly encrypted data is secured using the updated key. Meanwhile, existing data remains encrypted with the prior key, ensuring seamless decryption processes without compromising data integrity.
| Key type | Rotation period |
|---|---|
Data encryption key | Rotated every 7 days |
Key encryption key | Rotated annually if managed by Nexthink Defined by the customer in a BYOK model |
Nexthink designed the rotating mechanism to leverage the advanced capabilities of AWS Key Management Service.
If a KEK is deleted or access to the key is no longer possible in the case of BYOK, then access to the data is only available for the lifetime of the Nexthink internal in-memory cache. Once the in-memory cache expires, access to encrypted data becomes impossible.
When the KEK is rotated, the Nexthink data acquisition system uses this new KEK for every newly generated data encryption key, e.g., upon rotation of the DEK. Following the DEK rotation period, all new data is encrypted with the new KEK. Preservation of access to old versions of the KEK is necessary, even after the DEK rotation period has passed, to allow decryption of information ingested before the KEK rotation, e.g., a device offline for an extended period.
Refer to the Bring your own key (BYOK) FAQ documentation (available to Nexthink Community users) for more information.
