KeyControl Vault BYOK Overview

Many Cloud service providers, such as AWS and Azure, allow users to bring their own cryptographic key material to the key management service. This is referred to as Bring Your Own Key (BYOK). With the KeyControl Vault BYOK functionality, you can now use KeyControl Vault to manage BYOK for your cloud providers.

When an HSM is used with BYOK, keys are never stored as plaintext. In-memory keys are also encrypted (wrapped), except for software-protected keys in Azure. When a software-protected key has to be uploaded to Azure, KeyControl Vault unwraps it before upload. For other keys, including hardware-protected keys on Azure, when KeyControl Vault has to upload them to the cloud, it encrypts (wraps) them in the HSM using the master key and the cloud provider's wrapping key before uploading the wrapped keys to the cloud.

Supported BYOK integrations:

• AWS Key Management Service (KMS), see Configuring AWS for KeyControl Vault BYOK.

• Azure Key Vault, see Configuring Azure for KeyControl Vault BYOK.

Terminology: 

• CloudKeys

  CloudKeys are the representation of the CMK in KeyControl Vault, and are grouped in Key Sets. CloudKeys are version controlled and can be periodically rotated.

• Cloud Service Provider (CSP) accounts

  These accounts are used to connect KeyControl Vault to your CSP, for example, AWS. The permissions assigned to the service account determine which Customer Managed Keys (CMK) can be accessed. The CSP account has a one to one relationship with the AWS BYOK service account or Azure service principal, and is controlled by KeyControl Vault users with the Cloud Admin privilege.

• Customer Managed Key (CMK)

  • In AWS KMS, keys that can be managed by users. This includes native keys that are created in the KMS and BYOK keys that are created outside of the KMS and then are uploaded to the KMS.

  • In Azure Key Vaults, there is no distinction between keys created in Azure and keys uploaded from outside.

  In KeyControl Vault documentation, CMK refers to customer keys in AWS or Azure.

• Key Sets

  Key Sets are the container for all CMKs that correspond to a specific CSP account.

• Service Account (AWS), Service Principal (Azure)

  • In AWS, you need to create a Service User Account to give KeyControl Vault access your AWS account. The permissions assigned to the service account determine which CMK can be accessed.

  • In Azure you need to create a Service Principal Application to give KeyControl Vault access to your Azure account. The administrator needs to register this application through Azure Active Directory to provide access.