Cryptomathic AWS BYOK Service

Here you can find answers to some of the frequently asked questions, guides and terms of use for the Cryptomathic AWS BYOK Service:


Frequently Asked Questions


What do I need to get started with Cryptomathic BYOK for AWS?

A Cryptomathic AWS BYOK account, an AWS account, and an administrator having access to it.

What happens to my Cryptomathic BYOK keys if I change my keys directly in AWS KMS?

If key material generated and handled by Cryptomathic AWS BYOK service is handled directly in AWS KMS, it can become out of synchronization with the state the BYOK service, which may lead to misunderstandings/misinterpretations. Therefore it is not recommended to change Cryptomathic AWS BYOK related keys directly in AWS KMS.

Can I export key material from the Cryptomathic BYOK service?


Which type of keys can be created?

The only key type supported in AWS BYOK is symmetric encryption KMS keys (AES-256-GCM).

What is the system's availability?

Cryptomathic strives to secure a 99.6% uptime for the Service.

Note that the Cryptomathic BYOK service is only needed for the process of key material generation and upload.

Can I invite others to join my account?

Yes. You can grant access to others via the "Team members" tab on the "Account Settings" page.

What will I pay if I close my account?

There is no extra cost when you close your account.

Already paid invoices will not be refunded.

What happens to my personal data if I close my account?

Cryptomathic has strict legal rules for handling personal data. Read our Terms and Conditions here:

Which AWS regions are supported

Cryptomathics AWS BYOK service supports all regions in the standard AWS partition. AWS GovCloud and AWS China are separate AWS partitions and are not currently supported. Therefore the following regions are not supported:

  • GovCloud (US-East)
  • GovCloud (US-West)
  • Mainland China (Beijing)
  • Mainland China (Ningxia)

A map of current and coming AWS regions can be found here:


What happens to my keys if I close my account, or my account expires?

Internal management of keys will be deleted. However keys residing in AWS KMS will be unaffected.

Does AWS BYOK service support multi-region keys?

No. The AWS BYOK service does not support multi-region keys.

Will I get notified before automatic key renewal?

Yes. You will receive a notification email.

What happens if my key expires in AWS KMS?

Nothing except for the normal key expiry consequences in AWS. This event typically indicates that the key is no longer maintained by the BYOK service.

Is a key store in the AWS BYOK service the same as an AWS Custom Key Store?

No. A key store is a collection of keys. An AWS Custom key store is a collection of keys stored and used inside AWS CloudHSMs.

Why can a keystore not be deleted?

Some keys in the keystore are not in state DELETED. Deleting a keystore requires that all keys are in DELETED state.

Key Renewal

What happens when a key is renewed in the BYOK system?

The Cryptomathic BYOK service creates a new BYOK key with new key material, and uploads that to your AWS KMS.

The KMS alias that pointed to the original KMS key is redirected to point to the new KMS key. The original KMS key remains in place and remains enabled.

This approach follows the manual key rotation described here:

How do I undo a key renewal?

If the user needs to undo the renewal, they can log into their AWS web console, go to the KMS and redirect the alias to point to the old KMS key.

How does BYOK key renewal impact other AWS services such as S3, AWS DynamoDB, etc?

An application using the alias to reference the key will work without changes for:

  • S3 Encryption Client SDK
  • DynamoDb Encryption Client SDK
  • AWS Encryption SDK


What happens if I cancel my subscription?

After canceling your subscription, you still have access to the Cryptomathic BYOK service until the end of your billing cycle.

Once your subscription has expired, you lose access to the Cryptomathic BYOK service.

After the expiry of my subscription, what happens to the key material?

Even after subscription expiry, the BYOK key material will stay on AWS KMS.


How are keys generated and secured?

Keys are generated inside an AWS CloudHSM. They are stored encrypted in DynamoDB encrypted by a KEK (Key-Encryption-Key), and the encryption process is done inside the CloudHSM.

How is access to Cryptomathic BYOK for AWS secured?

This is controlled by AWS Cognito. Setup typically involves 2-factor authentication against OAUTH2 Authorization Code grant.

How is communication to my AWS KMS secured?

The customer sets up a role (with policy permissions) which the BYOK service assumes.


What happens if the AWS KMS has a power outage?

In case of the keys in AWS KMS being lost, you can use the Cryptomathic BYOK service to re-upload the key material to AWS KMS.


Terms Of Use

Click here for the full Terms of Use [Document to be loaded as a PDF (link)]


Download the ebook

Introducing the AWS BYOK Service from Cryptomathic