Skip to main content

Bring Your Own Key (BYOK)

CloudHSM BYOK is designed for businesses with strict regulatory compliance requirements or a desire for enhanced security in cloud deployments. It leverages a dedicated partition within the CloudHSM Economy service, allowing subscribers to store their encryption keys outside of their cloud service provider's environment. This ensures complete control and visibility over their key management process, while still benefiting from the robust security features of CloudHSM.

Key features include:

  • A dedicated partition within CloudHSM ECO for secure key storage.
  • Support for either up to 3, 10 or 200 key objects (RSA 2048 bit).
  • All the tools and application notes neccesary to seamlessly generate and import keys into your chosen cloud service provider (e.g., Azure, AWS or Salesforce).

Service Description

This service provides access to Securosys Cloud HSM Service partitions with the following attributes:

AttributeDescription
Client ConnectionsNot limited
Storage Capacity3-200 key objects
PerformanceN/A
Key GenerationMax. 1 key per second
Cryptographic APIsJava (JCA/JCE)
Supported FunctionsSee the Supported Algorithms and Functions list
Operational ModeNormal Mode (Algorithm set not FIPS restricted)

Service Options

In addition to the service description provided above, the following table outlines the available options and indicates whether they are currently enabled, disabled, or can be optionally selected:

OptionAvailability
Attestation and Partition AuditEnabled
Partition AdministrationOption. Requires purchase or rent of Decanus Terminal
Smart Key Attributes (SKA)Disabled
Transaction Security Broker (TSB)Disabled
CryptocurrenciesDisabled
Post-Quantum Cryptographic AlgorithmsDisabled
Timestamp Service (RFC3161 compliant)Disabled

Regions

BYOK is accessible through either a Regional Swiss, German, US, or Singapore cluster, ensuring optimal reach and performance tailored to specific geographic needs. This distribution is detailed in the table below.

Service PackageData Center locationsActive DCBusiness Continuity DC
Bring Your Own Key (BYOK), SwitzerlandSwitzerlandCH01, CH02CH03
Bring Your Own Key (BYOK), GermanyGermany, SwitzerlandDE01, CH02CH03
Bring Your Own Key (BYOK), USAUSA, SwitzerlandUS01, US02CH03
Bring Your Own Key (BYOK), SingaporeSingapore, SwitzerlandSG01, CH02CH03
note

The active sites are located based on the configuration specified in the cluster definition. The business continuity site, designed for disaster recovery, is strategically located in Switzerland.

Partition Policy Settings

The following tables provide an overview of all partition policy settings, indicating whether they are enabled, disabled, or available for selection by the customer upon ordering and wether they can be modified afterwards.

API Settings

API ActivationAvailability
PKCS#11Disabled
Java (JCA/JCE)Enabled
Microsoft CNGDisabled
RESTDisabled
Client API AccessEnabled. Modifiable via Support Portal, or Decanus Terminal via Partition Administrationi to take partition completely offline.

Partition Settings

PolicyAvailability
Key ImportDisabled.
Key ExportEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Key InvalidationEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Partition R/ODisabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Session ObjectsEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Object DestructionEnabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration.
Object UsageDisabled.

Service Management

The CloudHSM BYOK partition offers versatile management options to make changes to the partition policy setting. Users can utilize the Decanus Terminal via Partition Administration or submit change requests on the Support Portal.