Skip to main content

Overview

Bronto supports Bring Your Own Key (BYOK) for encryption at rest. When enabled, Bronto encrypts your data using your own AWS KMS key, giving you full control over key ownership, lifecycle, and access. Bronto never stores or manages your encryption key material. When BYOK is enabled:
  • Newly ingested data stored in Bronto is encrypted at rest.
  • You retain full control over key rotation, disablement, and deletion.

Enabling Encryption Keys

Encryption keys are an enterprise feature and must be enabled by Bronto Support. Once enabled, an Encryption Keys section becomes available in your organization settings.

Creating the key in AWS

1) Create a customer-managed KMS key

  1. Open AWS Console → Key Management Service (KMS)
  2. Go to Customer managed keys
  3. Click Create key
  4. Choose:
    • Key type: Symmetric
    • Key usage: Encrypt and decrypt
    • Region: Multi-Region key (Mandatory)
  5. Click Next

2) Set alias and rotation

  1. Choose a key alias, for example:
    • alias/bronto-archive-prod
  2. (Recommended) Enable automatic key rotation
  3. Click Next

3) Set key administrators

  1. Select your internal AWS admins or security team
  2. These users can rotate, disable, or delete the key
  3. Click Next

4) Set the key policy (Required)

Replace the default policy with the following customer key policy (or add the second statement to the default). This policy:
  • Keeps full control with your AWS account root
  • Allows Bronto to use the key only for encryption and decryption
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "EnableIAMUserPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxx:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowBrontoKmsUsage",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::637423326566:role/BrontoByok"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}

5) Copy the KMS Alias ARN

After creation:
  1. Open the key in KMS
  2. Go to the Aliases tab
  3. Copy the alias ARN, for example:
arn:aws:kms:eu-west-1:026090548703:alias/bronto-archive-prod

Adding an Encryption Key in Bronto

To add a key once enabled on your account:
  1. Go to Settings → Encryption Keys
  2. Click Add Encryption Key
  3. Enter:
    • Display Name (optional) — for identification inside Bronto
    • AWS KMS Alias ARN — the alias ARN of the KMS key you created in AWS
  4. Click Create
The key will not be used until it has been activated and Bronto begins storing data for the organization.

Activating the Key

To enable encryption at rest:
  1. Open the key
  2. Click Activate Key
  3. Confirm the warning
Once activated:
  • All newly ingested data is encrypted using this key.
  • The Last used date of the key will indicate when this is working.
  • The key cannot be deactivated or replaced via the UI.
  • Reversal requires contacting Bronto Support.
  • This action is intentional and treated as permanent.

Important warnings

Bronto has no control over your KMS key.

  • Disabling or deleting the key immediately breaks access to encrypted data.
  • Bronto cannot recover data if the key is permanently lost.
  • You are responsible for monitoring and managing key lifecycle.