Here you can find answers to some of the frequently asked questions, guides and terms of use for the Cryptomathic AWS BYOK Service.
Cryptomathic's AWS Bring Your Own Key (BYOK) is a SAAS solution developed by Cryptomathic for taking control and ownership of the generation and maintenance of AWS KMS keys instead of relying on AWS to control the keys.
Many AWS clients are uncomfortable with leaving and trusting their encryption keys in the hands of AWS. For security and control purposes when generating keys Cryptomathic provides hosted HSMs which are under our full logical control. These keys are used directly in AWS KMS as customer-managed keys. Cryptomathic offers better and faster communication and support than AWS.
Many organizations want to improve on their compliance profile with regards to privacy and security frameworks where encryption and a degree of self-control are required. Examples include GDPR, HIPAA, PCI-DSS and other. With the Cryptomathic BYOK as a Service solution companies will be able to demonstrate compliance by downloading reports on the system and by documenting which keys where generated, when they were pushed and when any changes happened.
Our AWS BYOK Service frees you from the hassle of having to procure, setup, manage, patch and maintain your own key-generation and management infrastructure, which is resource-intensive and requires specialist know-how.
A Cryptomathic AWS BYOK account, an AWS account, and an administrator having access to it.
If key material generated and handled by Cryptomathic AWS BYOK service is handled directly in AWS KMS, it can become out of synchronization with the state the BYOK service, which may lead to misunderstandings/misinterpretations. Therefore it is not recommended to change Cryptomathic AWS BYOK related keys directly in AWS KMS.
Yes.
The only key type supported in AWS BYOK is symmetric encryption KMS keys (AES-256-GCM).
Cryptomathic strives to secure a 99.6% uptime for the Service.
Note that the Cryptomathic BYOK service is only needed for the process of key material generation and upload.
Yes. You can grant access to others via the "Team members" tab on the "Account Settings" page.
There is no extra cost when you close your account.
Already paid invoices will not be refunded.
Cryptomathic has strict legal rules for handling personal data. Read our Terms and Conditions here: https://www.cryptomathic.com/creditsandprivacy
Which AWS regions are supported
Cryptomathics AWS BYOK service supports all regions in the standard AWS partition. AWS GovCloud and AWS China are separate AWS partitions and are not currently supported. Therefore the following regions are not supported:
A map of current and coming AWS regions can be found here: https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
Internal management of keys will be deleted. However keys residing in AWS KMS will be unaffected.
No. The AWS BYOK service does not support multi-region keys.
Yes. You will receive a notification email.
Nothing except for the normal key expiry consequences in AWS. This event typically indicates that the key is no longer maintained by the BYOK service.
No. A key store is a collection of keys. An AWS Custom key store is a collection of keys stored and used inside AWS CloudHSMs.
Some keys in the keystore are not in state DELETED. Deleting a keystore requires that all keys are in DELETED state.
The Cryptomathic BYOK service creates a new BYOK key with new key material, and uploads that to your AWS KMS.
The KMS alias that pointed to the original KMS key is redirected to point to the new KMS key. The original KMS key remains in place and remains enabled.
This approach follows the manual key rotation described here:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
If the user needs to undo the renewal, they can log into their AWS web console, go to the KMS and redirect the alias to point to the old KMS key.
An application using the alias to reference the key will work without changes for:
After canceling your subscription, you still have access to the Cryptomathic BYOK service until the end of your billing cycle.
Once your subscription has expired, you lose access to the Cryptomathic BYOK service.
Even after subscription expiry, the BYOK key material will stay on AWS KMS.
Keys are generated inside HSMs solely under the logical control of Cryptomathic. The HSMs are certified according to FIPS 140-2 Level 3.
Any Keys at Rest have been encrypted using an HSM protected KEK (Key-Encryption-Key).
This is controlled by AWS Cognito. Setup typically involves 2-factor authentication against OAUTH2 Authorization Code grant.
In case of the keys in AWS KMS being lost, you can use the Cryptomathic BYOK service to re-upload the key material to AWS KMS.
How to create a key store - part 1
How to create a key store - part 2
How to create a key
How to renew a key
How to delete a key
How to export a key
How to re-upload a key
How to activate and deactivate a key
How to manage team members
Read the Terms and Conditions of Use
Introducing the AWS BYOK Service from Cryptomathic
