Cryptographic Security Platform Vault BYOK Overview

Many Cloud service providers allow users to bring their own cryptographic key material to the key management service. This is referred to as Bring Your Own Key (BYOK). With the Cryptographic Security Platform Vault BYOK functionality, you can use Cryptographic Security Platform Vault to manage BYOK for your cloud providers.

When an HSM is used with BYOK, keys are never stored as plaintext. In-memory keys are also encrypted (wrapped), except for software-protected keys in Azure. When a software-protected key has to be uploaded to Azure, Cryptographic Security Platform Vault unwraps it before upload. For other keys, including hardware-protected keys on Azure, when Cryptographic Security Platform Vault has to upload them to the cloud, it encrypts (wraps) them in the HSM using the master key and the cloud provider's wrapping key before uploading the wrapped keys to the cloud.

Supported BYOK integrations:

Terminology: 

  • CloudKeys

    CloudKeys are the representation of the CMK in Cryptographic Security Platform Vault, and are grouped in Key Sets. CloudKeys are version controlled and can be periodically rotated.

  • Key Rings (GCP only)

    Keys in GCP are created in various key rings, which are tied to a single region or multi-region. Multi-regions must be defined by Google. Key rings are identified with the combination of key ring location and key ring name.

    Within a Key Set, CloudKeys are grouped in key rings. Every CloudKey has an associated key ring.

  • Cloud Service Provider accounts

    These accounts are used to connect Cryptographic Security Platform Vault to your Cloud Service Provider. The permissions assigned to the service account determine which Customer Managed Keys (CMK) can be accessed. Cloud Service Provider accounts have a one to one relationship with the AWS BYOK service account, Azure service principal, or GCP service account, and are controlled by Cryptographic Security Platform Vault users with the Cloud Admin privilege.

  • Customer Managed Key (CMK)

    • In AWS KMS, keys that can be managed by users. This includes native keys that are created in the KMS and BYOK keys that are created outside of the KMS and then are uploaded to the KMS.

    • In Azure Key Vaults, there is no distinction between keys created in Azure and keys uploaded from outside.

    • In GCP, keys that can be managed by users. The key material will be uploaded to GCP.

    In Cryptographic Security Platform Vault documentation, CMK refers to customer keys in AWS, Azure, or GCP.

  • External Key Manager (EKM)

    GCP only. The key material will remain in Cryptographic Security Platform Vault.

  • Key Sets

    Key Sets are the container for all CMKs that correspond to a specific Cloud Service Provider account.

  • Service Account (AWS and GCP), Service Principal (Azure)

    • In AWS, you need to create a service user account to give Cryptographic Security Platform Vault access your AWS account. The permissions assigned to the service account determine which CMK can be accessed.

    • In GCP, access to a role or user on a specific cloud service is provided using the service account's access key.

    • In Azure you need to create a Service Principal Application to give Cryptographic Security Platform Vault access to your Azure account. The administrator needs to register this application through Azure Active Directory to provide access.

  • Cache-Only Keys

    SFDC Only. Material for cache-only keys is periodically retrieved from KeyControl by Salesforce and cached for a short duration. Encryption and Decryption operations still happen within Salesforce, but the key material is not permanently present.