Clumio uses a CMK key to perform encryption. Clumio creates the CMK through the CloudFormation template. This is to ensure that we have all the necessary permissions to access the key and perform encryption and decryption as necessary. Clumio does not support the use of an existing CMK.

Clumio leverages the CMK to generate the Data Encryption Key (DEK) through a cross-account IAM role. This role is created and assigned to the CMK Key Policy during the initial CloudFormation template deployment process.

All actions performed by Clumio on this CMK get audited and are logged in the customer's CloudTrail service. For more information on monitoring these logs in CloudTrail, see https://support.clumio.com/hc/en-us/articles/360059163171-Parsing-CloudTrail-logs-to-check-CMK-activities. 

Details about the KMS pricing can be found at https://aws.amazon.com/kms/pricing/. 

Using multiple AWS accounts with the same CMK

AWS does not permit moving a CMK between accounts. However, you can set a single CMK to be readable by multiple accounts by following the process here. As long as Clumio has access to that same CMK, backups/restore activities will continue to work.

Manually changing the CMK is not supported

Clumio encrypts the backup data using the KMS keys created by the Clumio service CloudFormation template. Clumio rotates the data encryption keys (DEK) every 30 days to ensure that they do not use only one key for data encryption. Clumio does not support the ability for users to change the CMK configured for encrypting Clumio backups. If you replace the existing CMK, all existing backups encrypted by the old key cannot be decrypted by Clumio and can no longer be used. 

Bring Your Own Key (BYOK) Encryption

Clumio SecureVault backups are encrypted by a CMK deployed in the KMS service of a customer's AWS account. When the Bring Your Own Key (BYOK) Encryption feature is enabled, Clumio uses your CMK to encrypt Clumio SecureVault backups. 

BYOK is supported for:

• EBS
• EC2
• M365 (Exchange, OneDrive, Sharepoint)
• VMs (VMWare and VMC)
  
• S3
• RDS
• DynamoDB
• Azure AD
• SQL on EC2
• SQL on VMC

Enabling BYOK does not re-encrypt previous backups 

When you set up the BYOK feature, Clumio does not re-encrypt the previous backups with your newly configured CMK. Only new backups performed after enabling the feature are encrypted using the BYOK CMK.  The old backups will continue to remain encrypted and usable with Clumio's default encryption keys.

Clumio BYOK Limitations

• The Clumio BYOK service requires the KMS key to be created by the Clumio BYOK CloudFormation template. 
• The BYOK CloudFormation template needs to be deployed in the same region as the Clumio control plane.  

For information about lost or deleted keys, see Lost CMK Keys.

Please reach out to support@clumio.com with any questions.