Bring your own key (BYOK) for data encryption

This is for:

In this article

What is BYOK encryption?
What can I encrypt?
What are my responsibilities?
Enable BYOK encryption in your license
Key requirements
Create a key

Coveo is always striving to meet the needs of its most security-conscious customers. Therefore, it offers bring-your-own-key (BYOK) encryption of its index data as a security enhancement.

This article explains Coveo’s BYOK encryption feature, its benefits, and how to enable it, as well as your responsibilities when using this feature.

Note

The BYOK encryption feature is ready for use but is still undergoing fine-tuning and enhancements. Contact your Coveo representative to start using it in an early-access program.

What is BYOK encryption?

BYOK encryption is a security enhancement offered as an alternative to Coveo’s default encryption mechanism, which uses Coveo’s managed encryption keys.

BYOK stands for bring your own key. This means that your data is encrypted with AWS KMS keys that you manage and provide to Coveo. However, managing your own encryption keys comes with critical responsibilities.

When you use BYOK encryption, Coveo encrypts your index data at rest with the encryption keys you provide and manage. The rest of your data remains encrypted with Coveo’s managed encryption keys.

How is BYOK beneficial for my organization?

Managing your own encryption keys is especially useful in the following scenarios:

If you suspect that your keys have been compromised, you can revoke them and generate new ones.
Similarly, you can revoke Coveo’s access to your index data at rest at any time by changing your keys.
You want Coveo to be able to access your index data at rest from specific countries or data centers only. With BYOK encryption, you can generate keys that are only valid in the locations you specify.
Although Coveo has processes to delete your data once your contract ends, you could revoke your keys as an additional measure to ensure your data can no longer be accessed. Alternatively, you can request a written confirmation of deletion.

What can I encrypt?

Coveo lets you BYOK to encrypt index data at rest.

Index data is the data that Coveo indexes from your content sources. In other words, it’s your content and its metadata. This data is stored in the Coveo index and is used to return search results.

Data at rest is stored on disk, unlike data in transit, which is being transmitted over the Internet or a network.

BYOK encryption is a security enhancement offered as an alternative to Coveo’s default encryption mechanism, which uses Coveo’s own keys.

Regardless of whether you use BYOK encryption, the rest of your data is always encrypted with Coveo’s managed encryption keys. This includes usage analytics data, machine learning models, configurations, and all data in transit.

What are my responsibilities?

When you use BYOK encryption, you have the following responsibilities:

Use AWS KMS and manage your encryption keys. While it entails extra work on your part, this additional control over encryption may benefit your business if it’s especially security-conscious. However, this means Coveo doesn’t have access to your keys and can’t manage them for you. If you accidentally revoke or delete a key, creating new indexes or restoring backups will become impossible for Coveo. A complete organization reconfiguration and rebuild will be necessary, as your index data at rest will be lost. Either way, this may have a significant impact on your business.
Keep your keys secure. Without your keys, you won’t be able to decrypt your data. Coveo can’t recover your keys if you lose them.
Only share your keys with trusted individuals, as they are sensitive security assets.
If you suspect that your keys have been compromised, generate new ones immediately. To avoid business disruption, contact your Coveo representative as soon as possible to start using the new key. You can also revoke the old key; however, doing so will make Coveo’s index backups unreadable. We recommend that you enable automatic key rotation.

Enable BYOK encryption in your license

BYOK encryption is an add-on for Coveo Platform Enterprise plans. It is available upon request. Contact your Coveo representative to activate it.

You’re solely responsible for storing, managing, and safeguarding your keys. Coveo doesn’t have access to your keys and can’t recover them for you.

Key requirements

To encrypt your Coveo index data at rest, you must provide a key that meets the following requirements:

It’s provisioned by AWS Key Management Service (KMS).

It can perform the following actions:

kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:Encrypt
kms:GenerateDataKey
kms:GenerateDataKeyWithoutPlaintext

Your Coveo representative will provide you with the region in which you should create your primary key and the regions in which you should create replicas.

Create a key

As explained previously, managing your encryption key is your responsibility, but to help you create this key, Coveo created AWS CloudFormation templates.

Contact your Coveo representative to determine in which regions the primary key and its replicas should be created.
Use the AWS Management Console or the AWS Command Line Interface (CLI) to deploy the templates and create the keys.
- For organizations in the production environment, use this AWS CloudFormation primary key template and this AWS CloudFormation replica key template.
- For organizations in the HIPAA environment, use this AWS CloudFormation HIPAA primary key template and this AWS CloudFormation HIPAA replica key template.
Your Coveo representative will activate BYOK encryption for your organization.