KeyControl BYOK Overview

Many Cloud service providers, such as AWS and Azure, allow users to bring their own cryptographic key material to the key management service. This is referred to as Bring Your Own Key (BYOK). With the KeyControl BYOK functionality, you can now use KeyControl to manage BYOK for your cloud providers.

Note: For version 5.4, only the AWS Key Management Service (KMS) is supported.

Terminology: 

• CMK

  Customer Managed Keys. In AWS KMS, the customer managed keys are the keys which can be managed by users. This includes native keys which are created in the KMS and BYOK keys which are created outside of the KMS and then uploaded to the KMS.

• Service Account

  You need to create a Service User Account on AWS to let KeyControl access your AWS account. The permissions assigned to the service account determine which CMK can be accessed.

• CSP Accounts

  The Cloud Service Provider (CSP) accounts are used to connect KeyControl to your CSP, for example, AWS. The permissions assigned to the service account determine which Customer Master Keys (CMK) can be accessed.

  The CSP account has a one to one relationship with the AWS BYOK service account, and is controlled by KeyControl users with the Cloud Admin privilege.

• Key Sets

  Key Sets are the container for all CMKs that correspond to a specific CSP account.

• CloudKeys

  CloudKeys are the representation of the CMK in KeyControl, and are grouped in Key Sets. CloudKeys are version controlled and can be periodically rotated.