Bring your own key (BYOK) for data encryption

This topic describes the Bring Your Own Key (BYOK) solution that enables Privilege Cloud to access your AWS KMS key to encrypt your Privilege Cloud secrets.

BYOK for encrypting Privilege Cloud data

One of Privilege Cloud security principles is that all data (user secrets) stored in the Privilege Cloud backend is encrypted at all times. By default, this is done using the Privilege Cloud AWS KMS key. Privilege Cloud encrypts the data at the time of storage, and then decrypts it using the same encryption key following a user request to display or retrieve it.

With BYOK, you define your own encryption key and replace the default Privilege Cloud encryption key. The solution is based on enabling Privilege Cloud to access your encryption key and use it to encrypt your Privilege Cloud data.

BYOK enables you to:

  • Fully control the encryption key used to encrypt Privilege Cloud data: You are responsible for hosting, managing access (enable/disable), and revoking the encryption key within Privilege Cloud.

  • Control Privilege Cloud access to your encryption key to encrypt your users' data within Privilege Cloud . At any time you can disable or revoke BYOK, to stop Privilege Cloud access to your encryption key and effectively block access to your encrypted data.

  • Rotate your encryption key at any time, based on your organizational policy, and update the encryption key used by Privilege Cloud.

Supported encryption key services

BYOK is based on use of AWS Key Management Services (KMS) and AWS Identity and Access Management (IAM):

Ownership and responsibility

  • You are solely responsible for hosting, managing, and rotating your encryption key within AWS KMS service.

  • You control Privilege Cloud access to your encryption key.

  • You can revoke Privilege Cloud access to your encryption key at any time, effectively blocking Privilege Cloud access to your encrypted data and blocking your users' access to Privilege Cloud data.

  • Key rotation is your responsibility. You can use automatic KMS rotation (once a year) or manually generate a new KMS key when required.

  • You can audit and track CyberArk access to your encryption key through CloudWatch and AWS logs.

  • If you revoke access to your encryption key, or if you change the encryption key without updating the Privilege Cloud configuration, your system data is locked and cannot be decrypted without access to the original encryption key.

Warning guidelines

When employing BYOK, the customer is solely responsible for safeguarding the encryption key.

In case CyberArk does not have access to your key, for example, in case of deletion, loss, or alteration of the key, you will not be able to access your encrypted data.

CyberArk does not store a copy of your encryption key, does not maintain any alternate means of accessing your encrypted data, and will not be able to recover your encrypted secrets or recorded sessions.

The Bring Your Own Key service is subject to the "Bring Your Own Key" provision in CyberArk's SaaS Terms of Service.