BYOK, CYOK, HYOK: Cloud Key Management Explained

Last Updated: 20 October 2025

Here we look at what it means to “bring your own key”, “control your own key” and “hold your own key” and what the differences are between these three methods for protecting business-critical cryptographic keys and encryption key management solutions used to encrypt data in the cloud.

What you will learn  

• BYOK (Bring Your Own Key): Learn how this model allows you to generate and manage your own encryption keys, providing a balance between control and convenience.  
• CYOK (Control Your Own Key): Discover how CYOK offers enhanced control by ensuring your keys remain private, even within the cloud environment.   
• HYOK (Hold Your Own Key): Understand how HYOK provides the highest level of security by keeping your keys entirely within your own infrastructure. 

How is Key Management Handled for Cloud Applications?  

The amount of corporate data stored in the cloud has almost doubled from 48% since the Ponemon Institute published its 2019 Global Cloud Security Study. Storing data in the cloud does create various challenges including:

Where is the data stored?

In cloud environments, data can be stored across multiple geographic regions depending on the provider’s infrastructure. Unless carefully configured, the organisation may not have full visibility over where encrypted data physically resides. This becomes a compliance and sovereignty concern - especially in highly regulated sectors such as banking, finance and healthcare - where data residency requirements dictate that data must remain within approved jurisdictions 

Who can access the data?

Access to data ultimately depends on who controls the encryption keys. Even if data is encrypted, if the cloud provider generates and manages the encryption keys by default, they technically hold a position of potential access according to most threat models and legal frameworks. True control lies not just in data encryption but in key custody. If a third party can access or process the key material, they are in a position to decrypt. 

What is the best way to secure the data? 

In answering what is the best way to secure data, the focus is on encryption, which requires encryption key management solutions. This brings yet another question, who shall be in control of the keys? According to common law, "possession is nine-tenths of the law," which means that ownership is easier to maintain when an entity has possession, but it is more difficult to enforce ownership and prevent unauthorised access or use of the item in question when they do not have possession. 

As long as a business entity is in possession of their keys at all times and those keys are kept secure, such as within a hardware security module (HSM) or a key management software, they are kept secure. After all, it is all about control when it comes to encryption key management solutions. 

By default, cloud providers will generate encryption keys and then manage the lifecycle of said keys for their customers. However, this is not acceptable for organisations hosting sensitive data in the cloud because they must maintain sole control and ownership over their keys in order to comply with their internal security requirements. This has generated the need for strategies that allow organisations to maintain full control over how and when their keys are used to access and protect their encrypted data. 

Therefore, the strategy of “Bring Your Own Key” (BYOK) was created, but that is not without its shortcomings, too. Thus, the introduction of “Hold Your Own Key” (HYOK) and “Control Your Own Key” (CYOK) and more were created to provide additional options for keeping cryptographic keys secure and maintaining control over access to said encryption keys. 

What are BYOK, CYOK and HYOK?

BYOK (Bring Your Own Key), CYOK (Control Your Own Key) and HYOK (Hold Your Own Key) are three approaches to managing cryptographic keys used to encrypt and decrypt data stored in the cloud. They differ in where the encryption keys are generated and stored, who can access them, and how much control the organisation retains over their lifecycle. 

• BYOK: Customer generates keys and imports them into the cloud KMS. Keys are under customer governance, but cryptographic operations run inside the provider boundary. 
• CYOK: Customer generates and controls keys, never exposed in clear to the provider. Keys may be hosted in a customer-controlled HSM or isolated enclave. Provider sees handles or wrapped keys only. 
• HYOK: Customer holds keys entirely outside the provider boundary. The cloud calls an external key system or the data is encrypted and decrypted only in customer-controlled environments. 

What Is The Bring Your Own Key (BYOK) Method?  

Instead of accepting a cloud provider’s default option of generating and supplying its own encryption keys, which means a loss of control and headaches if there is ever a need to change providers, “Bring Your Own Key” provides the customer some level of control over its encryption keys. With BYOK, the user creates, backs up and provides its own encryption keys. The service provider should not have access to the key in the clear, so its encrypted data remains encrypted regardless of who attempts to access it. Key ownership brings great responsibility. If the key is submitted to the service provider, it can be difficult to retrieve immediately if needed, and if the key is lost by either the provider or the customer, the results could be catastrophic to the business.  

BYOK does come with some challenges when you consider what needs to be going on behind the scenes for the customer. It can present security and operational challenges. 

• BYOK allows the customer to independently generate, back up and submit its own encryption keys to the cloud. 
• If a key is lost or an error occurs the data cannot be decrypted, which could lead to a standstill. 
• If a key is stolen, the entire security operation is jeopardized. 
• If a key is lost or stolen, there is very little that can be done since the service provider was initially relieved of their liability with the key. 
• The organization needs to be vigilant in maintaining back ups and subject their operations to high-security measures 

The technical implementation of BYOK can differ significantly from cloud providers and also depends on what type of applications are used in the cloud. For many SaaS applications, the cloud provider must have access and possession of the keys to provide their services - which negates the “own” part of BYOK. It is, therefore, important to assess whether the BYOK method supported by your cloud provider and encryption key management solution actually addresses your security and key control needs.   

How does the “Control Your Own Key” (CYOK) Method Work?  

An alternate method for customers is the “Control Your Own Key” method. With CYOK, the customer creates its keys, and they are never exposed in clear to the provider and are controlled by the customer, even if hosted in a customer-controlled HSM or enclave. The customer controls the full key lifecycle and can instantly revoke keys at any time. These keys can be held in a protected virtual node within the cloud or be held within a hybrid environment in an on-premise data center. 

CYOK allows the customer to maintain some control over the keys whether they use an on-premise hybrid CYOK system or in a node hosted by the cloud provider. 

• Cryptographic keys are never exposed in clear to the provider and are controlled by the customer, even if hosted in a customer-controlled HSM or enclave. 
• The keys can be used for any purpose. 
• The key material is never exposed in the clear. 
• The customer can still revoke and control the keys’ lifecycles.

How Does the “Hold Your Own Key” (HYOK) Method Ensure Security?   

“Hold Your Own Key” gives organizations full control over their cryptographic keys. The keys remain in the possession of the customerat all times. With HYOK, data is encrypted before it is sent to the cloud. There is no decryption of the data until it is back on-premises. Therefore, HYOK ensures that sensitive data stays encrypted while in the cloud at all times. Meanwhile, the customer’s encryption keys are never exposed. 

For organizations that require a higher level security to meet the stringent requirements for data security as it relates to their industry, like banking, finance and healthcare, HYOK provides more stringent security than BYOK and CYOK because: 

• The customer retains physical ownership and logical control of its managed encryption keys, thus always possessing their keys. 
• HYOK allows for the immediate revocation of access by disabling the key or the external key endpoint. 
• Data associated to a deactivated key is immediately made inaccessible or crypto shredded until if and when the key’s availability is restored. 
• HYOK is ideal for organizations that must adhere to strict regulation and compliance policies.

Why Trust Cryptomathic with Your Cloud Key Management? 

There is no official standardization for encryption key management solutions or methods like BYOK, CYOK and HYOK for use with cloud services. However, certain industries, such as the banking and financial sector or healthcare sector are subject to stringent requirements for protecting sensitive data, which makes different methods more preferable than others. 

Documents, like Cloud Security Alliance’s “Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations” seek to provide guidance in determining which type of encryption key management solution is appropriate for different uses. 

Despite the various acronyms that have popped up, BYOK is still used as the umbrella term for keys that are loaded into a cloud environment in order to be used by cloud applications, regardless of the different levels of control, security, auditability and remote management. In response to market demand, Cryptomathic's BYOK infrastructure can be configured based on the specific needs of each customer. 

To support the differing market requirements for security, compliance and cost-efficiency, Cryptomathic’s encryption key management solutions support the variations of BYOK described above. The deployment, technical capability and legal assurances of such mechanisms depend on which cloud service provider is chosen by your business. 

Contact us for more information on how to secure your encryption keys in the cloud. 

Key Takeaways 

• BYOK, CYOK and HYOK represent different levels of control over encryption keys used in the cloud. 
• These methods are not officially standardised but are widely adopted across regulated industries. 
• Financial, banking and healthcare sectors often require stronger control models like CYOK or HYOK to meet compliance demands. 
• “BYOK” is often used as an umbrella term for any customer-supplied key model in cloud environments. 
• Cryptomathic’s key management infrastructure supports all variations and can be tailored to match specific security and operational requirements. 

FAQs 

Which industries benefit most from using HYOK?

HYOK is particularly suited for highly regulated sectors such as banking, finance, government, defence and healthcare, where data residency, compliance and auditability requirements demand maximum control over encryption keys and zero exposure to cloud providers. 

Can HYOK be used in multi-cloud or hybrid architecture?

Yes. HYOK is well-suited for multi-cloud and hybrid environments, as it allows organisations to maintain a single point of cryptographic control while using multiple cloud services. Keys remain managed on-premises or within a dedicated secure environment, regardless of where the data is stored or processed. 

What happens if the key is lost or corrupted? 

If the key is lost or corrupted and no secure backup exists, the encrypted data becomes permanently inaccessible - a state often referred to as crypto-shredding. This makes proper key backup, redundancy and lifecycle governance essential components of any BYOK, CYOK or HYOK strategy. 

References and Further Reading

• Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more
• Selected articles on Key Management (2012-today) by Dawn M. Turner, Guillaume Forget, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more

• Key Management in the Cloud - Understanding Encryption's Desired Outcomes and Limitations (2020) by the Cloud Security Alliance

• Cloud Data Security: Who Should Hold the Keys? (2019), by Security Boulevard

• Azure's Hold Your Own Key (HYOK) has been released in preview form (2016), by MSFT.com

• Cloud Security: BYOK vs. KYOK explained (2021), by Data Henrik

• HYOK or BYOK Encryption? A Critical Decision for Cloud Migrations & Multi-Cloud Strategy (2021), by SecuPi

• CKMS Product Sheet (2025), by Cryptomathic