Cryptomathic AWS BYOK Service

Here you can find answers to some of the frequently asked questions, guides and terms of use for the Cryptomathic AWS BYOK Service.


Frequently Asked Questions


What is BYOK?

Cryptomathic's AWS Bring Your Own Key (BYOK) is a SAAS solution developed by Cryptomathic for taking control and ownership of the generation and maintenance of AWS KMS keys instead of relying on AWS to control the keys.

Why do you need BYOK??

Many AWS clients are uncomfortable with leaving and trusting their encryption keys in the hands of AWS. For security and control purposes when generating keys Cryptomathic provides hosted HSMs which are under our full logical control. These keys are used directly in AWS KMS as customer-managed keys. Cryptomathic offers better and faster communication and support than AWS.

Who needs BYOK?

Many organizations want to improve on their compliance profile with regards to privacy and security frameworks where encryption and a degree of self-control are required. Examples include GDPR, HIPAA, PCI-DSS and other. With the Cryptomathic BYOK as a Service solution companies will be able to demonstrate compliance by downloading reports on the system and by documenting which keys where generated, when they were pushed and when any changes happened.

What is the benefit of using BYOK?

Our AWS BYOK Service frees you from the hassle of having to procure, setup, manage, patch and maintain your own key-generation and management infrastructure, which is resource-intensive and requires specialist know-how.

What do I need to get started with Cryptomathic BYOK for AWS?

A Cryptomathic AWS BYOK account, an AWS account, and an administrator having access to it.

What happens to my Cryptomathic BYOK keys if I change my keys directly in AWS KMS?

If key material generated and handled by Cryptomathic AWS BYOK service is handled directly in AWS KMS, it can become out of synchronization with the state the BYOK service, which may lead to misunderstandings/misinterpretations. Therefore it is not recommended to change Cryptomathic AWS BYOK related keys directly in AWS KMS.

Can I export key material from the Cryptomathic BYOK service?


Which type of keys can be created?

The only key type supported in AWS BYOK is symmetric encryption KMS keys (AES-256-GCM).

What is the system's availability?

Cryptomathic strives to secure a 99.6% uptime for the Service.

Note that the Cryptomathic BYOK service is only needed for the process of key material generation and upload.

Can I invite others to join my account?

Yes. You can grant access to others via the "Team members" tab on the "Account Settings" page.

What will I pay if I close my account?

There is no extra cost when you close your account.

Already paid invoices will not be refunded.

What happens to my personal data if I close my account?

Cryptomathic has strict legal rules for handling personal data. Read our Terms and Conditions here: 

Which AWS regions are supported

Cryptomathics AWS BYOK service supports all regions in the standard AWS partition. AWS GovCloud and AWS China are separate AWS partitions and are not currently supported. Therefore the following regions are not supported:

  • GovCloud (US-East)
  • GovCloud (US-West)
  • Mainland China (Beijing)
  • Mainland China (Ningxia)

A map of current and coming AWS regions can be found here:


What happens to my keys if I close my account, or my account expires?

Internal management of keys will be deleted. However keys residing in AWS KMS will be unaffected.

Does AWS BYOK service support multi-region keys?

No. The AWS BYOK service does not support multi-region keys.

Will I get notified before automatic key renewal?

Yes. You will receive a notification email.

What happens if my key expires in AWS KMS?

Nothing except for the normal key expiry consequences in AWS. This event typically indicates that the key is no longer maintained by the BYOK service.

Is a key store in the AWS BYOK service the same as an AWS Custom Key Store?

No. A key store is a collection of keys. An AWS Custom key store is a collection of keys stored and used inside AWS CloudHSMs.

Why can a keystore not be deleted?

Some keys in the keystore are not in state DELETED. Deleting a keystore requires that all keys are in DELETED state.

Key Renewal

What happens when a key is renewed in the BYOK system?

The Cryptomathic BYOK service creates a new BYOK key with new key material, and uploads that to your AWS KMS.

The KMS alias that pointed to the original KMS key is redirected to point to the new KMS key. The original KMS key remains in place and remains enabled.

This approach follows the manual key rotation described here: 

How do I undo a key renewal?

If the user needs to undo the renewal, they can log into their AWS web console, go to the KMS and redirect the alias to point to the old KMS key.

How does BYOK key renewal impact other AWS services such as S3, AWS DynamoDB, etc?

An application using the alias to reference the key will work without changes for:

  • S3 Encryption Client SDK
  • DynamoDb Encryption Client SDK
  • AWS Encryption SDK


What happens if I cancel my subscription?

After canceling your subscription, you still have access to the Cryptomathic BYOK service until the end of your billing cycle.

Once your subscription has expired, you lose access to the Cryptomathic BYOK service.

After the expiry of my subscription, what happens to the key material?

Even after subscription expiry, the BYOK key material will stay on AWS KMS.


How are keys generated and secured?

Keys are generated inside HSMs solely under the logical control of Cryptomathic. The HSMs are certified according to FIPS 140-2 Level 3.

How are keys protected when at rest?

Any Keys at Rest have been encrypted using an HSM protected KEK (Key-Encryption-Key).

How is access to Cryptomathic BYOK for AWS secured?

This is controlled by AWS Cognito. Setup typically involves 2-factor authentication against OAUTH2 Authorization Code grant.


What happens if the AWS KMS has a power outage?

In case of the keys in AWS KMS being lost, you can use the Cryptomathic BYOK service to re-upload the key material to AWS KMS.



Here you can find the manuals for the Cryptomathic AWS BYOK Service:



Video workflow guides


How to create a key store - part 1

HubSpot Video


How to create a key store - part 2

HubSpot Video


How to create a key

HubSpot Video


How to renew a key

HubSpot Video


How to delete a key

HubSpot Video


How to export a key

HubSpot Video


How to re-upload a key

HubSpot Video


How to activate and deactivate a key

HubSpot Video



How to manage team members

HubSpot Video


Download the ebook

Introducing the AWS BYOK Service from Cryptomathic