KeyControl and AWS External Key Store (XKS) Overview

Entrust KeyControl Vault provides an External Key Store Proxy inside KeyControl Vault. This feature allows the KeyControl Vault administrator to protect their data within Amazon Web Services (AWS) with 256-bit AES keys residing in KeyControl Vault. KeyControl Vault generates the keys, and the keys are stored in KeyControl Vault only.

This feature, also known as Hold You Own Key (HYOK), allows customers to protect data within AWS using key material, created and managed in their data center. It also enables customers to address compliance such as data privacy regulation and digital data sovereignty.

Note that when configuring KeyControl Vault as an AWS XKS, it is the customer's responsibility to ensure:

• Security, reliability and durability of the key material

• Availability of cryptographic keys in the data center

• Performance / latency of cryptographic actions in the data center

For more information about AWS XKS, see https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html.