A Cryptomathic AWS BYOK account, an AWS account, and an administrator having access to it.
If key material generated and handled by Cryptomathic AWS BYOK service is handled directly in AWS KMS, it can become out of synchronization with the state the BYOK service, which may lead to misunderstandings/misinterpretations. Therefore it is not recommended to change Cryptomathic AWS BYOK related keys directly in AWS KMS.
The only key type supported in AWS BYOK is symmetric encryption KMS keys (AES-256-GCM).
Cryptomathic strives to secure a 99.6% uptime for the Service.
Note that the Cryptomathic BYOK service is only needed for the process of key material generation and upload.
Yes. You can grant access to others via the "Team members" tab on the "Account Settings" page.
There is no extra cost when you close your account.
Already paid invoices will not be refunded.
Cryptomathic has strict legal rules for handling personal data. Read our Terms and Conditions here: https://www.cryptomathic.com/creditsandprivacy
Cryptomathics AWS BYOK service supports all regions in the standard AWS partition. AWS GovCloud and AWS China are separate AWS partitions and are not currently supported. Therefore the following regions are not supported:
A map of current and coming AWS regions can be found here: https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
Internal management of keys will be deleted. However keys residing in AWS KMS will be unaffected.
No. The AWS BYOK service does not support multi-region keys.
Yes. You will receive a notification email.
Nothing except for the normal key expiry consequences in AWS. This event typically indicates that the key is no longer maintained by the BYOK service.
No. A key store is a collection of keys. An AWS Custom key store is a collection of keys stored and used inside AWS CloudHSMs.
Some keys in the keystore are not in state DELETED. Deleting a keystore requires that all keys are in DELETED state.
The Cryptomathic BYOK service creates a new BYOK key with new key material, and uploads that to your AWS KMS.
The KMS alias that pointed to the original KMS key is redirected to point to the new KMS key. The original KMS key remains in place and remains enabled.
This approach follows the manual key rotation described here: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
If the user needs to undo the renewal, they can log into their AWS web console, go to the KMS and redirect the alias to point to the old KMS key.
An application using the alias to reference the key will work without changes for:
After canceling your subscription, you still have access to the Cryptomathic BYOK service until the end of your billing cycle.
Once your subscription has expired, you lose access to the Cryptomathic BYOK service.
Even after subscription expiry, the BYOK key material will stay on AWS KMS.
Keys are generated inside an AWS CloudHSM. They are stored encrypted in DynamoDB encrypted by a KEK (Key-Encryption-Key), and the encryption process is done inside the CloudHSM.
This is controlled by AWS Cognito. Setup typically involves 2-factor authentication against OAUTH2 Authorization Code grant.
The customer sets up a role (with policy permissions) which the BYOK service assumes.
In case of the keys in AWS KMS being lost, you can use the Cryptomathic BYOK service to re-upload the key material to AWS KMS.