Secure Your Data with Verbex
In a world of evolving digital threats, managing Data Sovereignty and Security is a major challenge for many businesses. Companies often struggle with Trust and Compliance, the Complexity of Key Management, and the High Costs of securing data across different regions. Verbex solves these problems with a powerful Multi-Tenant Envelope Encryption solution.Key Features
Envelope EncryptionA two-layered encryption system that keeps your data fast and secure. Bring Your Own Key and Bucket (BYOK)
Maintain full control by using your own encryption keys and storage buckets from AWS or GCP. Verbex-Managed Key and Bucket
For a simpler setup, Verbex handles key creation and storage automatically. Granular Access Control
Ensures strict data separation with precise control over user access. Provider Agnostic
Works seamlessly across cloud providers such as AWS and Google Cloud.
KMS & Storage Provider Management
This guide explains how to configure encryption key management and secure cloud storage for your organization. Verbex supports three main integration modes to balance ease of use with security compliance.Multi-Provider Support & Primary Provider Concept
- Multiple KMS and bucket providers can be configured per organization.
- Only one provider can be marked as the primary provider at a time.
- The primary provider is used for file uploads and data encryption.
- File downloads and decryption may occur from any configured provider.
Getting Started
- Log in to the Verbex Console.
- Navigate to Settings → KMS Encryption.
- Select your preferred provider type from the available options.
Option 1 – Verbex Managed (+Verbex: Fully Automatic)
Verbex automatically provisions a Google Cloud KMS key and a Google Cloud Storage bucket within the Verbex environment. This is a one-click setup where Verbex handles rotation, management, and storage.Best For
- Quick setup
- No existing cloud infrastructure
- Zero configuration
Prerequisites
- None. The process is fully automated.
Setup
Select +Verbex and enable the primary toggle if you want it as your primary provider.What Happens Automatically
- A KMS key ring is created using the format
{profile}-{organizationId}. - A symmetric AES-256-GCM crypto key is generated with a 365-day rotation policy.
- A secure storage bucket is created and linked to the KMS key.
- All stored data is encrypted at rest.
Limitations
- Only one Verbex-managed provider is allowed per organization.
- The KMS key and bucket are always created as a pair.
Option 2 – GCP BYOK (Bring Your Own Key)
This option registers an existing Google Cloud KMS key and Cloud Storage bucket from your own project. Verbex accesses these resources using cross-project IAM roles. No customer credentials are stored.Best For
- Organizations with strict security requirements
- Full ownership of encryption keys
- No credential sharing
Prerequisites
Before registration, you must:- Create a KMS key ring and crypto key in your GCP project.
- Create a Cloud Storage bucket in the same project and region.
- Configure the bucket to use your KMS key for encryption.
- Grant required encryption and viewing permissions.
- Grant Verbex service accounts access to the KMS key.
- Grant Verbex service accounts permission to upload, download, and list objects in the bucket.
Setup
Select +GCP, complete the required fields, and enable the primary toggle if desired.Option 3 – AWS BYOK (Bring Your Own Key)
This option registers an existing AWS KMS key and S3 bucket. It requires creating a dedicated IAM user and providing Verbex with access credentials.Best For
- Organizations primarily operating on AWS
- Centralized AWS security management
Prerequisites
In your AWS account, you must:- Create an AWS KMS key.
- Create an S3 bucket and configure default encryption.
- Create a dedicated IAM user.
- Assign policies for KMS usage and S3 access.
- Generate access credentials for the IAM user.