Bring Your Own Key (BYOK)
What is Bring Your Own Key (BYOK)?
Bring Your Own Key (BYOK)A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys.
BYOK lets the customer control the lifecycle of the master keys used to protect data in a cloud service, while the cloud provider still stores and operates them inside its KMS or HSM. Keys are typically generated on-premises in a customer HSM and then securely wrapped and imported into the cloud. The customer can rotate, disable, or schedule deletion of the key material, which gives a much stronger audit trail and a faster path to revoke provider access. BYOK does not by itself prevent a cloud provider from using the keys, since they still reside in its infrastructure — that requires HYOK or external key stores. Common implementations include AWS KMS imported key material, Azure Key Vault BYOK, and Google Cloud EKM.
● Examples
- 01
Importing key material into AWS KMS from an on-premises HSM.
- 02
Azure Key Vault BYOK using an FIPS 140-2 HSM for the wrapping ceremony.
● Frequently asked questions
What is Bring Your Own Key (BYOK)?
A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys. It belongs to the Cloud Security category of cybersecurity.
What does Bring Your Own Key (BYOK) mean?
A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys.
How do you defend against Bring Your Own Key (BYOK)?
Defences for Bring Your Own Key (BYOK) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Bring Your Own Key (BYOK)?
Common alternative names include: BYOK, Customer-supplied keys.