Skip to main content

Bring Your Own Key (BYOK)

The BYOK package is designed for businesses with strict regulatory compliance requirements or a desire for enhanced security in cloud deployments. It leverages a dedicated partition within the CloudHSM ECO service, allowing subscribers to store their encryption keys outside of their cloud service provider's environment. This ensures complete control and visibility over their key management process, while still benefiting from the robust security features of CloudHSM.

Key features include:

  • A dedicated 1 MB partition within CloudHSM ECO for secure key storage.
  • Support for either up to 3, 10 or an unlimited number of key objects up to maximum partition capacity, making it ideal for single applications or trials.
  • All the tools and application notes neccesary to seamlessly generate and import keys into your chosen cloud service provider (e.g., Azure, AWS or Salesforce).

Service Description

This service provides access to Securosys Cloud HSM Service partitions with the following attributes:

AttributeDescription
Client ConnectionsNot limited
Storage Capacity1MB
PerformanceN/A
Key GenerationMax. 1 key per second
Cryptographic APIsJava (JCA/JCE)
Supported FunctionsSee the Supported Algorithms and Functions list
Operational Modenon-FIPS

Service Options

In addition to the service description provided above, the following table outlines the available options and indicates whether they are currently enabled, disabled, or can be optionally selected:

OptionAvailability
Attestation and Partition AuditEnabled
Partition AdministrationOption. Requires purchase or rent of Decanus Terminal
Smart Key AttributesDisabled
Transaction Security Broker (TSB)Disabled
Crypto CurrenciesDisabled
Post-Quantum Cryptographic AlgorithmsDisabled
Timestamp Service (RFC3161 compliant)Disabled

Regions

BYOK is accessible through either a Regional Swiss, German, US, or Singapore cluster, ensuring optimal reach and performance tailored to specific geographic needs. This distribution is detailed in the table below.

Service PackageData Center locationsActive DCBusiness Continuity DC
Bring Your Own Key (BYOK), SwitzerlandSwitzerlandCH01, CH02CH03
Bring Your Own Key (BYOK), GermanyGermany, SwitzerlandDE01, CH02CH03
Bring Your Own Key (BYOK), USAUSA, SwitzerlandUS01, US02CH03
Bring Your Own Key (BYOK), SingaporeSingapore, SwitzerlandSG01, CH02CH03
note

The active sites are located based on the configuration specified in the cluster definition. The business continuity site, designed for disaster recovery, is strategically located in Switzerland.

Partition Policy Settings

The following tables provide an overview of all partition policy settings, indicating whether they are enabled, disabled, or available for selection by the customer upon ordering and wether they can be modified afterwards.

API Settings

API ActivationAvailability
PKCS#11Disabled
Java (JCA/JCE)Enabled
Microsoft CNGDisabled
RESTDisabled
Client API AccessEnabled. Modifiable via Support Portal, or Decanus Terminal via Partition Administrationi to take partition completely offline.

Partition Settings

PolicyAvailability
Key ImportDisabled.
Key ExportEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Key InvalidationEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Partition R/ODisabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Session ObjectsEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Object DestructionEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Object UsageDisabled.

Service Management

The CloudHSM BYOK partition offers versatile management options to make changes to the partition policy setting. Users can utilize the Decanus Terminal via Partition Administration or submit change requests on the Support Portal.