Guide to Customer-Managed Encryption Keys (BYOK/HYOK)
Understanding customer-managed encryption keys, including BYOK and HYOK models, for data protection compliance.
What Are Customer-Managed Encryption Keys?
Customer-managed encryption keys (CMEK) give organizations control over the cryptographic keys used to encrypt their data in cloud and SaaS environments. Instead of relying solely on your provider's key management, you generate, manage, and control access to the keys yourself.
This control has significant implications for compliance, security, and data sovereignty. When you hold the keys, you hold the ability to render your data inaccessible -- even to the hosting provider.
Key Management Models Explained
Provider-Managed Keys (Default)
The cloud or SaaS provider generates, stores, and manages encryption keys on your behalf. You do not have direct access to or control over the keys.
Pros: Simple, no operational overhead Cons: Provider has theoretical access to decrypt your data; limited audit visibility into key operations
Bring Your Own Key (BYOK)
You generate encryption keys in your own environment and import them into the provider's key management system. The provider then uses your keys to encrypt and decrypt data.
Pros: You control key generation and can enforce key rotation policies Cons: Once imported, the keys reside in the provider's infrastructure; provider still performs encryption operations
Hold Your Own Key (HYOK)
You maintain encryption keys entirely within your own infrastructure (typically in an on-premises HSM or a separate cloud KMS). The provider must request key access from your system for each encryption or decryption operation.
Pros: Maximum control; provider never stores your keys; you can revoke access instantly Cons: Higher latency; more complex architecture; availability depends on your key infrastructure
Customer-Managed Keys (CMEK)
A broader term that typically refers to keys managed within the cloud provider's KMS but under the customer's control. You create keys, define access policies, set rotation schedules, and maintain audit logs -- all within the provider's key management service.
Pros: Strong control with provider-grade availability; rich audit logging Cons: Keys still reside within the provider's infrastructure
Comparing the Models
| Feature | Provider-Managed | BYOK | HYOK | CMEK |
|---|---|---|---|---|
| Key generation | Provider | Customer | Customer | Customer (in provider KMS) |
| Key storage | Provider | Provider (after import) | Customer | Provider KMS (customer-controlled) |
| Key access control | Provider | Shared | Customer | Customer |
| Revocation speed | Depends on provider | Moderate | Immediate | Moderate |
| Operational complexity | Low | Moderate | High | Moderate |
| Provider access to keys | Yes | Potentially | No | Potentially |
| Performance impact | None | Minimal | Noticeable | Minimal |
Why CMEK Matters for Compliance
GDPR and Data Sovereignty
GDPR Article 32 requires appropriate technical measures to protect personal data. Customer-managed keys provide a stronger posture than provider-managed keys because:
- You can demonstrate independent control over data protection to regulators
- You can revoke a provider's ability to decrypt your data if the relationship ends or a security concern arises
- In combination with data residency controls, CMEK helps ensure that data remains practically inaccessible outside your authorized infrastructure
Schrems II and International Transfers
For organizations transferring data to countries without EU adequacy decisions, CMEK can serve as a supplementary measure. If the encryption keys remain under the data exporter's control in the EU, the data stored in a non-adequate country may be considered protected even if local authorities compel the provider to surrender the encrypted data -- because the keys are not available to them.
Industry Regulations
- PCI DSS: Requires documented key management procedures and separation of duties for cryptographic keys
- HIPAA: Requires access controls on encryption keys as part of ePHI protection
- Financial services regulations: Many financial regulators require customer control over encryption keys for cloud-hosted data
Implementing CMEK: Practical Steps
Step 1: Assess Your Requirements
Determine which data requires customer-managed keys:
- All personal data subject to GDPR
- Payment card data subject to PCI DSS
- Health data subject to HIPAA
- Data subject to cross-border transfer restrictions
- Sensitive intellectual property or trade secrets
Not all data may warrant the additional complexity of CMEK. Focus on data where regulatory or business requirements demand enhanced control.
Step 2: Choose Your Key Management Approach
Select the model that balances your control requirements with operational feasibility:
- BYOK: When you need to prove key provenance and control generation, but can accept provider-side storage
- HYOK: When you need maximum control and cannot allow the provider to store keys under any circumstances
- CMEK in provider KMS: When you need strong control with provider-grade availability and minimal operational overhead
Step 3: Set Up Key Infrastructure
For BYOK and HYOK, you need your own key management infrastructure:
- Hardware Security Modules (HSMs): Dedicated hardware for key generation and storage (AWS CloudHSM, Azure Dedicated HSM, on-premises HSMs)
- Key Management Services: Cloud-based KMS for CMEK (AWS KMS, Azure Key Vault, Google Cloud KMS)
- Key management software: For on-premises key lifecycle management
Step 4: Define Key Policies
Establish policies covering:
- Key generation: Algorithms (AES-256 minimum), key sizes, entropy sources
- Key rotation: How frequently keys are rotated (annually at minimum; quarterly for high-sensitivity data)
- Key access: Who can create, use, rotate, and delete keys (enforce separation of duties)
- Key backup: How keys are backed up and recovered (critical -- lost keys mean lost data)
- Key destruction: Secure procedures for destroying keys at end of life
Step 5: Integrate with Your Cloud Provider
Configure your cloud services to use customer-managed keys:
- Storage services (S3, Azure Blob, GCS) -- configure default encryption with CMEK
- Database services (RDS, Azure SQL, Cloud SQL) -- enable CMEK for database encryption
- Compute services -- encrypt boot and data volumes with CMEK
- Logging and analytics services -- ensure logs are encrypted with CMEK
Step 6: Implement Monitoring and Auditing
- Enable logging for all key operations (creation, use, rotation, deletion)
- Set up alerts for unauthorized key access attempts
- Monitor key usage patterns for anomalies
- Review key access logs regularly as part of your security audit program
Common Pitfalls
- Losing keys: If you lose your encryption keys and have no backup, your data is permanently inaccessible. Key backup and recovery procedures are essential.
- Over-complicating the architecture: Start with CMEK in provider KMS before graduating to HYOK. The simpler model provides strong control without the operational complexity.
- Ignoring key rotation: Static keys accumulate risk over time. Automate rotation wherever possible.
- Not testing key revocation: Verify that revoking a key actually renders data inaccessible. Test this in a non-production environment.
- Neglecting performance testing: HYOK introduces latency for every encryption operation. Test under realistic load conditions.
How GlobalDataShield Supports Key Management
GlobalDataShield combines customer-managed encryption with region-specific data hosting, ensuring that both the data and the control over its encryption remain within your defined jurisdictional boundaries. This dual-layer approach addresses both the physical location and the cryptographic access requirements that modern data protection regulations demand.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.