Bring Your Own Key (BYOK)
CloudHSM BYOK is designed for businesses with strict regulatory compliance requirements or a desire for enhanced security in cloud deployments. It leverages a dedicated partition within the CloudHSM Economy service, allowing subscribers to store their encryption keys outside of their cloud service provider's environment. This ensures complete control and visibility over their key management process, while still benefiting from the robust security features of CloudHSM.
Key features include:
- A dedicated partition within CloudHSM ECO for secure key storage.
- Support for either up to 3, 10 or 200 key objects (RSA 2048 bit).
- All the tools and application notes neccesary to seamlessly generate and import keys into your chosen cloud service provider (e.g., Azure, AWS or Salesforce).
Service Description
This service provides access to Securosys Cloud HSM Service partitions with the following attributes:
| Attribute | Description |
|---|---|
| Client Connections | Not limited |
| Storage Capacity | 3-200 key objects |
| Performance | N/A |
| Key Generation | Max. 1 key per second |
| Cryptographic APIs | Java (JCA/JCE) |
| Supported Functions | See the Supported Algorithms and Functions list |
| Operational Mode | Normal Mode (Algorithm set not FIPS restricted) |
Service Options
In addition to the service description provided above, the following table outlines the available options and indicates whether they are currently enabled, disabled, or can be optionally selected:
| Option | Availability |
|---|---|
| Attestation and Partition Audit | Enabled |
| Partition Administration | Option. Requires purchase or rent of Decanus Terminal |
| Smart Key Attributes (SKA) | Disabled |
| Transaction Security Broker (TSB) | Disabled |
| Cryptocurrencies | Disabled |
| Post-Quantum Cryptographic Algorithms | Disabled |
| Timestamp Service (RFC3161 compliant) | Disabled |
Regions
BYOK is accessible through either a Regional Swiss, German, US, or Singapore cluster, ensuring optimal reach and performance tailored to specific geographic needs. This distribution is detailed in the table below.
| Service Package | Data Center locations | Active DC | Business Continuity DC |
|---|---|---|---|
| Bring Your Own Key (BYOK), Switzerland | Switzerland | CH01, CH02 | CH03 |
| Bring Your Own Key (BYOK), Germany | Germany, Switzerland | DE01, CH02 | CH03 |
| Bring Your Own Key (BYOK), USA | USA, Switzerland | US01, US02 | CH03 |
| Bring Your Own Key (BYOK), Singapore | Singapore, Switzerland | SG01, CH02 | CH03 |
The active sites are located based on the configuration specified in the cluster definition. The business continuity site, designed for disaster recovery, is strategically located in Switzerland.
Partition Policy Settings
The following tables provide an overview of all partition policy settings, indicating whether they are enabled, disabled, or available for selection by the customer upon ordering and wether they can be modified afterwards.
API Settings
| API Activation | Availability |
|---|---|
| PKCS#11 | Disabled |
| Java (JCA/JCE) | Enabled |
| Microsoft CNG | Disabled |
| REST | Disabled |
| Client API Access | Enabled. Modifiable via Support Portal, or Decanus Terminal via Partition Administrationi to take partition completely offline. |
Partition Settings
| Policy | Availability |
|---|---|
| Key Import | Disabled. |
| Key Export | Enabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration. |
| Key Invalidation | Enabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration. |
| Partition R/O | Disabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration. |
| Session Objects | Enabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration. |
| Object Destruction | Enabled. Modifiable via Support Portal or Decanus Terminal via Partition Administration. |
| Object Usage | Disabled. |
Service Management
The CloudHSM BYOK partition offers versatile management options to make changes to the partition policy setting. Users can utilize the Decanus Terminal via Partition Administration or submit change requests on the Support Portal.