AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Manage Encryption Profiles > What Should I Do If I Need to Change My Azure Key Vault or Keys?

Export to PDF

What Should I Do If I Need to Change My Azure Key Vault or Keys?

AvePoint Online Services encryption profile uses Azure Key Vault to encrypt your backup data and tenant-sensitive information (Google Workspace or Microsoft 365 usernames, passwords, etc.). When you use a custom key vault for data encryption, you provide your key vault information in an encryption profile.

You may need to change your key vault or keys in the Azure Key Vault due to your organization’s key rotation requirements or other reasons. If you need to change the key vault or keys in the Azure Key Vault, to ensure AvePoint Online Services functionality works well and your data is still protected, you must follow the procedures in the scenarios below.

I Need to Change the Key Used for Data Encryption

If you need to change the key that is used to encrypt your backup data and tenant sensitive information (Google Workspace or Microsoft 365 usernames, passwords, etc.), follow the procedures below:

  1. In the Azure Key Vault, create a new key or create a new version for the key that is used in the AvePoint Online Services encryption profile.

    *Note: Skip this step if you have already prepared a key.

  2. Navigate to AvePoint Online Services > Encryption management and create a new encryption profile. For details, see Create an Encryption Profile.

  3. On the Encryption management page, select the newly created profile and click Apply on the ribbon to switch from the old key to the new key.

    *Note: After you click Apply, AvePoint Online Services starts applying the key, and the Applying label is displayed next to the new profile name. When AvePoint Online Services applies the key in the new profile to re-encrypt your data, the key in the old profile is still being used. To ensure AvePoint Online Services works well and your data is still protected, do not delete the old profile or the old key in the Azure Key Vault when the key is being applied. The old profile and the old key must still be available before the backend re-encryption process is completed.

  4. When the new encryption profile status is changed from Applying to Used, it indicates that the key in the new profile is successfully applied. Many organizations are required to keep the old keys for a while according to their key retention policy, but if you need to delete the key used in the old encryption profile or delete the old encryption profile, you may delete it now.

I Need to Change My Key Vault

If you need to change your key vault settings, but do not change the associated application or key, your AvePoint Online Services encryption profile does not require any changes.

If you need to change the application associated with your key vault in the Azure Key Vault, but do not change the associated key, follow the procedures below:

  1. In the Microsoft Entra admin center (or Microsoft Azure portal), create a new application.

    *Note: Skip this step if you want to use an existing application.

  2. Copy the client ID of the application.

  3. Add a client secret for the application.

    *Note: Skip this step if you want to use an existing application that already has a valid client secret.

  4. Copy the client secret.

    *Note: You can only copy the client secret upon the client secret generation. The client secret will be hidden after you perform another operation or leave the page.

  5. Edit your key vault’s RBAC (role-based access control) or access policies, and then assign a new role or add a new access policy for the application.

  6. Navigate to AvePoint Online Services > Encryption management, edit your custom encryption profile and update the client ID and client secret.

I Need to Use a New Key Vault

If you need to use a new key vault to replace the original key vault, follow the procedures below:

  1. In the Microsoft Entra admin center (or Microsoft Azure portal), create a new key vault. For details, see Create a Key Vault in Azure.

  2. Navigate to AvePoint Online Services > Encryption management, and create a new encryption profile. For details, see Create an Encryption Profile.

  3. On the Encryption management page, select the newly created profile and click Apply on the ribbon to switch from the old key vault to the new key vault.

    *Note: After you click Apply, AvePoint Online Services starts applying the key vault, and the Applying label is displayed next to the new profile name. When AvePoint Online Services is applying the key in the new profile to re-encrypt your data, the key in the old profile is still being used. To ensure AvePoint Online Services works well and your data is still protected, do not delete the old profile, the old key vault, or the old key in the Azure Key Vault when AvePoint Online Services is applying the key. The old profile and the old key must still be available before the backend re-encryption process is completed.

  4. When the new encryption profile status is changed from Applying to Used, it indicates that the key in the new profile is successfully applied. Many organizations are required to keep the old keys for a period according to their key retention policy, but if you need to delete the key used in the old encryption profile, delete the old key vault, or delete the old encryption profile, you may delete it now.