Skip to content

BYOK

With the BYOK(Bring Your Own Key) strategy, it is possible to securely transport keys generated in the HSM to the key management services (KMS) of cloud providers. This functionality allows you to maintain control over your cryptographic keys while taking advantage of the cloud infrastructure.

HSM supports BYOK for the main cloud providers:

  • Microsoft Azure Key Vault
  • Amazon Web Services (AWS) KMS

The BYOK model improves security and compliance, allowing companies to maintain full control over their sensitive data, even when using public cloud services. BYOK offers greater flexibility, greater visibility over key usage and a stronger stance against vendor lock-in and potential data breaches, compared to relying solely on the cloud provider's key management.

Benefits

  • Greater control and security: organizations retain ownership and control over their cryptographic keys, ensuring that only they have access.
  • Compliance: helps organizations meet regulatory requirements for data security and key management.
  • Flexibility and Agility: supports cloud adoption strategies in multi-cloud scenarios without sacrificing control or security.
  • By controlling their own keys, organizations are less dependent on the infrastructure management of a particular cloud provider.
  • Visibility: users gain complete visibility of how their keys are being used in the cloud environment.

General Operation

  1. Key generation: The organization creates its encryption master key locally, usually using HSM for high security and compliance.
  2. Key transfer: This master key is securely transferred to the cloud provider's key management system (KMS).
  3. Data Encryption: The cloud provider uses the organization's master key to protect the data encryption keys (DEKs), which are the keys that directly encrypt the data in the cloud.
  4. Key Management: The organization retains ultimate control and ownership of the master key, allowing it to manage its lifecycle, including rotation, and revoke access to its data if necessary.

Console operation

The BYOK operation in HSM can be carried out via the administrative console.

See the topic Partition/Export for more details.