KeyControl BYOK Overview

Many Cloud service providers allow users to bring their own cryptographic key material to the key management service. This is referred to as Bring Your Own Key (BYOK). With the KeyControl BYOK functionality, you can use KeyControl to manage BYOK for your cloud providers.

When an HSM is used with BYOK, keys are never stored as plaintext. In-memory keys are also encrypted (wrapped), except for software-protected keys in Azure. When a software-protected key has to be uploaded to Azure, KeyControl unwraps it before upload. For other keys, including hardware-protected keys on Azure, when KeyControl has to upload them to the cloud, it encrypts (wraps) them in the HSM using the master key and the cloud provider's wrapping key before uploading the wrapped keys to the cloud.

Supported BYOK integrations:

• AWS Key Management Service (KMS), see Configuring AWS for KeyControl BYOK.

• Azure Key Vault, see Configuring Azure for KeyControl BYOK.

• Google Cloud Platform (GCP), see Configuring GCP for KeyControl BYOK.

• Oracle Cloud Infrastructure (OCI), see Configuring OCI for KeyControl BYOK.

Terminology: 

• CloudKeys

  CloudKeys are the representation of the CMK in KeyControl, and are grouped in Key Sets. CloudKeys are version controlled and can be periodically rotated.

• Key Rings (GCP only)

  Keys in GCP are created in various key rings, which are tied to a single region or multi-region. Multi-regions must be defined by Google. Key rings are identified with the combination of key ring location and key ring name.

  Within a Key Set, CloudKeys are grouped in key rings. Every CloudKey has an associated key ring.

• Cloud Service Provider (CSP) accounts

  These accounts are used to connect KeyControl to your CSP, for example, AWS or GCP. The permissions assigned to the service account determine which Customer Managed Keys (CMK) can be accessed. CSP accounts have a one to one relationship with the AWS BYOK service account, Azure service principal, or GCP service account, and is controlled by KeyControl users with the Cloud Admin privilege.

• Customer Managed Key (CMK)

  • In AWS KMS, keys that can be managed by users. This includes native keys that are created in the KMS and BYOK keys that are created outside of the KMS and then are uploaded to the KMS.

  • In Azure Key Vaults, there is no distinction between keys created in Azure and keys uploaded from outside.

  • In GCP, keys that can be managed by users. The key material will be uploaded to GCP.

  In KeyControl documentation, CMK refers to customer keys in AWS, Azure, or GCP.

• External Key Manager (EKM)

  GCP only. The key material will remain in KeyControl.

• Key Sets

  Key Sets are the container for all CMKs that correspond to a specific CSP account.

• Service Account (AWS and GCP), Service Principal (Azure)

  • In AWS, you need to create a service user account to give KeyControl access your AWS account. The permissions assigned to the service account determine which CMK can be accessed.

  • In GCP, access to a role or user on a specific cloud service is provided using the service account's access key.

  • In Azure you need to create a Service Principal Application to give KeyControl access to your Azure account. The administrator needs to register this application through Azure Active Directory to provide access.