Skip to main content
purple hex pattern

Bring your own key (BYOK) is an innovative concept that was initially pioneered by Entrust and Microsoft to enable public cloud users to maintain control of the cryptographic keys used in the cloud to keep their data secured. As the adoption of public cloud services exploded, BYOK is now supported across all major cloud services. BYOK enables public cloud users to generate their own high quality master key locally on-premises, and securely transfer the key to their cloud service provider (CSP) to protect their data across multi-cloud deployments. To generate and manage high quality keys, BYOK uses FIPS and Common Criteria certified hardware security modules (HSMs) that the cloud user maintains on-premises, or leases as a service. Entrust offers nShield HSMs and nShield as a Service to support BYOK.

BYOK enable organizations migrating to the cloud to achieve:

  • Flexibility, convenience, and cost-effectiveness
  • Strong control of sensitive data and applications
  • Full visibility over use of your keys in the cloud
  • Highest level of data security, integrity, and trust

What is the role of BYOK?

BYOK provides users of public cloud services with the ability to generate cryptographic keys in their own environment and retain control of those keys while making them available, as required, for use in the cloud of their choice.

How does BYOK work?

CSPs protect their clients’ data in the cloud using robust encryption. The cryptographic key that encrypts the data (the tenant key) underpins the security of the cloud storage. The master key generated by the cloud user using BYOK essentially creates a locked box to protect the tenants’ keys in the CSP’s data centers. This gives the cloud user control over its tenant key, ensuring it is only used for its authorized purpose, and ultimately protecting the security of the data in the cloud.

What are examples of CSPs supporting BYOK?

Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce all support BYOK enabled by the Entrust high assurance Cloud Integration Option Pack solution.

How is BYOK different from Hold Your Own Key (HYOK)?

Hold Your Own Key (HYOK) is an option offered by Microsoft to manage cloud users’ most sensitive data within their own security perimeter using Entrust HSMS. Microsoft is replacing HYOK with Double Key Encryption (DKE), a new solution also supported by Entrust that enables cloud users to use hybrid environments with added levels of protection, control, and assurance.

Does Entrust offer other BYOK solutions?

Entrust KeyControl (formerly HyTrust) is a universal key management system for encrypted workloads that enables cloud users to automate and extend control of their cryptographic keys across public clouds. KeyControl supports BYOK and native Amazon Web Services (AWS) keys to enable full control of master keys. Planned support across multiple public cloud services will ensure keys are always secured as cloud users extend their cloud adoption strategies.

Why do we need BYOK?

The security of encrypted data is only as good as the protection given to the encryption keys. BYOK gives cloud users the control and assurance they need, whether deploying a single cloud service provider, a hybrid, or multi-cloud strategy. BYOK and the use of HSMs enable cloud users to avoid the difficulties associated with vendor lock-in, which can make it challenging to migrate from one CSP to another. HSMs are specifically designed to stop a hacker from finding your critical cryptographic keys by placing them in a tamper resistant location, not in software. As organizations seek to fully migrate to the cloud with confidence, BYOK can be deployed using nShield as a Service with no capital expense and the same level of security an assurance as on-premises solution.