Select Regions and Encryption Key Management System
Before you can use Cohesity DataProtect as a Service, you need to select at least one cloud region for your data backups and choose your desired encryption options for securing your backups.
For a current list of supported regions and countries, see the FAQ.
Once data is backed up to one region, you cannot move it to another. To back your data up in another region, you can add that region and start protecting your data there.
On the Cloud Regions page, click Add a Region.
From the Set Up Region dialog, select the cloud region for your data backups and choose the encryption option. For more information on the encryption options, see Choose Key Management System (KMS).
Once the cloud region is provisioned, click Continue.
Choose Key Management System (KMS)
In Cohesity DataProtect as a Service, all the data is encrypted both in flight and at rest. The encryption keys used for at-rest data encryption are the AWS Key Management System (KMS) or Azure Key Vault keys. Customers can choose to encrypt their data using Cohesity-generated AWS KMS or Azure Key Vault keys or bring their own AWS KMS or Azure Vault keys:
-
Cohesity KMS. Depending on the region you select to store the data, Cohesity generates and uses unique AWS KMS keys or Azure Key Vault keys for each customer to encrypt their data.
-
Self-Managed KMS. You can also use your own AWS encryption keys (Customer Master Keys) instead. For detailed instructions, see Use Self-Managed KMS.
Self-Managed KMS is not supported for Microsoft Azure cloud regions.
Review and understand the following high level process of using your own AWS encryption keys (Customer Managed Keys):
-
You provide the CMK Amazon Resource Name (ARN) for the cloud region you selected.
Cohesity supports both single and multi region self-managed KMS keys.
-
Cohesity generates the JSON for a key policy document that allows the DataProtect service to make API calls to your CMK.
-
You add the generated JSON contents to your AWS CMK's Policy in your AWS account.
Cohesity recommends using the Cohesity-managed KMS for data encryption. If you choose the self-managed KMS, you are responsible for protecting the CMK keys used for data encryption. Note that if the CMS keys are compromised, then the data stored on Cohesity DataProtect as a Service will not be recoverable.
With this option, you can audit the access calls made to your CMK to find important information, including when the CMK was used, the operation that was requested, the identity of the requester, and the source IP address. For more, see Logging AWS KMS API calls with AWS CloudTrail and What Is AWS CloudTrail? in the AWS documentation.
Note that you can also revoke CMK access to Cohesity at any time, after which Cohesity cannot decrypt the data stored in Cohesity DataProtect as a Service and all backup & recovery operations will fail.
-
In both options, Cohesity uses AES-256 encryption keys called DEKs (Data Encryption Keys) to encrypt the data at rest. DEKs are generated using the AWS CMK and rotated every 4 hours. The Data Encryption Key is encrypted with AWS CMK and stored along with the data — it is never stored in plain text.
Once you choose a KMS, you cannot change that choice.
Use Self-Managed KMS
To use your own AWS KMS keys, on the Set Up Region dialog, perform the following:
-
Choose the Region and select the Self Managed KMS (AWS Only) as the Encryption Option.
-
Enter your AWS Key ARN for the selected region and click Get JSON.
-
Copy the generated JSON script.
Go to your AWS CMK and add the copied JSON script under the “Statement” element in the Key Policy section as shown below:
-
Click Save.
Next > Add users to access the Cohesity DataProtect as a Service.
