Select Regions and Encryption Key Management System

Before you can use Cohesity DataProtect as a Service for Government (FedRAMP), you need to choose at least one cloud region for your data backups. Currently, Cohesity supports the US-Gov-East region.

  1. On the Cloud Regions page, click Add a Region.

  2. From the Set Up Region dialog, select the US-Gov-East as the region for your data backups and choose the encryption option. For more information on the encryption options, see Select Regions and Encryption Key Management System.

  3. Once the cloud region is provisioned, click Continue.

Choose Key Management System (KMS)

In Cohesity DataProtect as a Service for Government (FedRAMP), all the data is encrypted both in flight and at rest. Cohesity uses AWS Key Management System for at-rest data encryption and provides customers a choice between Cohesity- and self-managed keys:

  • Cohesity KMS. Cohesity generates and uses unique AWS encryption keys (known as Customer Master Keys in AWS) for each customer to encrypt their data.

  • Self-Managed KMS. You can also use your own AWS encryption keys (Customer Master Keys) instead. To use your own AWS KMS:

    1. You provide the CMK Amazon Resource Name (ARN) for the cloud region you selected.

    2. Cohesity generates the JSON for a key policy document that allows the DCohesity DataProtect as a Service for Government (FedRAMP) to make API calls to your CMK.

    3. You add the generated JSON contents to your AWS CMK's Policy in your AWS account.

      The permissions required by the Cohesity DataProtect as a Service for Government (FedRAMP) are:

      • kms:Encrypt

      • kms:Decrypt

      • kms:ReEncrypt*

      • kms:GenerateDataKey*

      • kms:DescribeKey

      If you choose this option, you are responsible for ensuring that your CMK is not deleted, as that would lead to data stored in Cohesity DataProtect to become unrecoverable.

      With this option, you can audit the access calls made to your CMK to find important information, including when the CMK was used, the operation that was requested, the identity of the requester, and the source IP address. For more, see Logging AWS KMS API calls with AWS CloudTrail and What Is AWS CloudTrail? in the AWS documentation.

      Note that you can also revoke CMK access to Cohesity at any time, after which Cohesity cannot decrypt the data stored in Cohesity DataProtect and all backup & recovery operations will fail.

In both options, Cohesity uses AES-256 encryption keys called DEKs (Data Encryption Keys) to encrypt the data at rest. DEKs are generated using the AWS CMK and rotated every 4 hours. The Data Encryption Key is encrypted with AWS CMK and stored along with the data — it is never stored in plain text.

Once you choose a KMS, you cannot change that choice.

Next > You're all set up and ready to register your sources!