This guide provides a comprehensive overview of implementing the Bring Your Own Key (BYOK) feature in Legatics. By managing your own encryption keys, you gain greater control over your data's security.
Prerequisites: Before you begin ensure:
AWS account: You have an active AWS account with access to the AWS Key Management Service (KMS).
Private instance: Your Legatics environment is set up in a private instance
Consult with Legatics: You have consulted with your Legatics engagement manager to discuss the additional annual charge and necessary legal agreements
Good to know: Your data remains highly secure even without BYOK. Legatics uses industry-standard encryption protocols and best practices for encryption and key management to ensure that your data is fully protected.
I've got different needs: If our BYOK setup doesn’t fully meet your needs, or you have any questions, please contact your engagement manager. We're here to discuss options and explore solutions that could work for you.
Understand our BYOK offering
What is BYOK?
By default, Legatics manages the keys that encrypt your data. When you enable BYOK, the keys that encrypt your data are themselves encrypted by a key stored and generated in:
your own AWS account through KMS; or
a third party key management system and made available via KMS.
Why use BYOK?
BYOK offers additional control and flexibility. With BYOK, you manage the encryption keys used to protect your data, giving you oversight over when and how these keys are used.
This level of control can be especially valuable for organizations with strict internal security policies or regulatory requirements, including the Schrems II ruling and data transfers outside the EU and UK.
How does it work?
Legatics will use your key in KMS - referred to as the customer master key (CMK) - to generate a data key. That data key will be used to encrypt all of your data held in Legatics.
Legatics will cache the plaintext of your data key for the time period you specify - meaning that your key is used to decrypt the data key according to your cache time while your users are active in the product. You will be able to monitor and report upon usage of your key using tools provided by AWS.
Backups of your data held in Legatics will also be encrypted by your master key.
Turning on BYOK
Step 1: Talk to your engagement manager
First, you’ll need to contact your engagement manager to get started. BYOK has an additional annual charge, requires a private instance, and we need to amend our legal agreement to reflect:
the annual charge
the minimum term of 12 months
potential limitations in support due to BYOK
Step 2: Create a key in AWS KMS
Follow the AWS guidelines to create a key in AWS KMS. When setting up your key, you need to apply the following settings:
Key type | Symmetric |
Granting key access | Your engagement manager will share the ARN of the AWS role which Legatics will use to access your key. You will need to grant access to this role, identified by its ARN |
Key usage permissions | The following operations will need to be granted to the Legatics role
|
Step 3: Provide Legatics with ARN and cache time
Once we have both the ARN and the cache time, we’ll apply BYOK to your environment.
ARN: This is the Amazon Resource Name, which acts as a unique, fully qualified identifier for the key across AWS.
Cache time: Refers to how long Legatics should store the encryption key after retrieving it from KMS. To optimise the user experience, we recommend a cache time of 5 minutes. The minimum cache time is 1 minute, and the maximum is 24 hours
Managing BYOK
The Admin System has a page dedicated to managing your encryption key. To get to the page go to Admin System > Settings, then click on Bring your own key setting. Once you’re in the page, you’ll see the following information about your key:
Provider | The platform that stores your key |
ARN | The ARN for they key |
Key last rotated on | Date and time when the key was last rotated in Legatics |
Updating the ARN
If the ARN is incorrect, click on the ARN field and update it. Once you're done, press Save.
Heads-up: This will also rotate the key. See below for more details about key rotation.
Changing the cache time
Currently, you can’t edit the cache time from the admin system (it’s coming). Until then, let us know if the cache time needs to change and we can make that change for you. The minimum cache time is 1 minute, the maximum is 24 hours.
Rotating your key
Keys should be periodically rotated. This allows Legatics to protect all of your data with your current key, rather than leaving older data encrypted by a previous key.
Critical: Previous keys shouldn't be deleted. They may still be required to decrypt existing data. Deleting these keys will result in permanent loss of access to encrypted information.
To rotate your key:
Undertake your key rotation in AWS
Back in Legatics, go to the BYOK page and press Rotate in the "Rotate key" section
Confirm the rotation in the modal that appears
Good to know: If rotation is successful, we will then decrypt your data key using the old master key and re-encrypt it with the new one. And you’ll see a success toaster informing you!
Info: If you don’t create a new key, and still press “Rotate” you’ll get a success toaster but no rotation will have happened. We show the success toaster because it’s not possible for us to recognise if the key hasn’t changed.
Note: If rotation isn’t successful, you’ll get a toaster informing you of the specific reason and suggesting solutions. If you’re still having trouble after trying those solutions, reach out to us at support@legatics.com.
Frequently asked questions
I’m an existing customer, can I use BYOK?
I’m an existing customer, can I use BYOK?
Yes, if you’re on a private instance. If you’re on a multi-tenant instance, this isn’t possible as BYOK currently requires a private instance.
Should I delete a key after I rotate it?
Should I delete a key after I rotate it?
No. Expired keys are required to decrypt existing data (including backups). Deleting these keys will result in permanent loss of access to encrypted information.
What happens if I withdraw the key?
What happens if I withdraw the key?
Once BYOK is set up, if your key is withdrawn or becomes unavailable your data will become inaccessible until we can access the key. Specifically:
Users can't get into matters
If a user tries to access a matter (through a URL), or is already in the matter and takes an action, they will see the modal below.
Your matters aren't visible to anyone
The matters you host won’t be viewable or accessible from the "my matters" page. Users will be notified that these matters are hidden and inaccessible
No ability to create matters
Your Members won't be able to create matters. They'll see the below modal
Members can't log into Legatics (if SSO is on)
If SSO is on, any Member who log in with SSO won’t be able to log in to Legatics (Guests and non SSO users can still log in). Those users will be notified in the log-in screen that "Encryption keys are managed by your organisation. We’re having trouble accessing those keys. Until we can, you won’t be able to log in".
Limited access to the admin system
All of the admin system will become inaccessible, except for the dashboard, resources and user pages (except that changing Member permissions won’t be possible). When a System Admin tries to access those pages, they'll see the below error pages.
What AWS region should I store our key?
What AWS region should I store our key?
We recommend storing your key in the same AWS region as your Legatics instance to reduce access latency. You can find the AWS region that stores your data on the accounts page.
This is not essential, however. If you prefer to hold your keys in a specific location, for consistency or for regulatory purposes, then you can do so. Note that the China region of AWS is not supported.
Can I disable BYOK after choosing to use it?
Can I disable BYOK after choosing to use it?
BYOK has a minimum term of 12 months. If you want to, you can disable BYOK at the end of that 12 month period.
Does BYOK help in the context of Schrems II and data transfers to the US?
Does BYOK help in the context of Schrems II and data transfers to the US?
The Schrems II decision by the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, complicating data transfers to the US due to concerns over US authorities' access to EU citizens' data under laws like FISA 702.
BYOK can help improve regulatory compliance for data transfers post-Schrems II by:
Reduce risk of US Access: Even if data is accessed by US authorities, it remains encrypted, protecting it from unauthorized access.
Supplementary Safeguard: Schrems II requires extra measures for data transfers. specifically to the US. BYOK also offers strong protection and helps meet GDPR requirements.
Compliance: BYOK aligns with GDPR and UK Data Protection Act, aiding in legal data transfers and protecting against non-EU/UK access.