As organizations move to the cloud, ensuring robust data security and privacy controls has become a top priority. Encryption is crucial for any organization’s cloud security and data sovereignty strategy; however, who controls the encryption keys can significantly affect the effectiveness of these measures.
Provider-managed encryption keys (PMEKs), although convenient and widely used by default in cloud services, have several security, compliance, and control-related drawbacks. Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) are two alternative approaches that enable customers to control their encryption keys. However, they differ significantly in how this control is implemented. In this post, we will examine the key differences between BYOK and HYOK to help you decide which approach is right for your organization.
The Challenge with Provider-Managed Encryption Keys (PMKEs)
With PMKEs, the cloud provider generates, stores, and manages the encryption keys. This means:
- You don’t control key lifecycle operations (generation, rotation, deletion).
- You can’t restrict who within the provider’s system may access or use your keys.
- You’re dependent on the provider’s internal security and policies.
Many regulations require clear and demonstrable control over cryptographic keys, such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Federal Information Processing Standards (FIPS) 140-2. Achieving compliance can be particularly challenging when organizations are unable to substantiate their control over these keys.
In addition, jurisdictional concerns can arise when keys are stored in regions governed by extensive surveillance laws, like those outlined in the U.S. CLOUD Act. In such jurisdictions, courts or government entities may have the authority to force cloud service providers to surrender cryptographic keys and the corresponding decrypted data. They may even impose gag orders that prevent these providers from notifying affected organizations when such actions occur. This poses significant risks for international businesses, particularly those operating in industries where data confidentiality and compliance are vital.
What is BYOK (Bring Your Own Key)?
BYOK allows customers to generate their own encryption keys and supply them to the cloud service provider (CSP). These keys are often created and managed using on-premises hardware security modules (HSMs) or key management systems (KMS), which provide a secure, tamper-resistant repository for the storage and management of keys. Once the key is transferred to the cloud, the CSP uses it to encrypt and decrypt customer data on its platform.
The master key is stored in the CSP’s Key Management System (KMS). When the master keys are kept in a separate Key Management System, the cloud provider does not have access to the master key. The CSP secures the data encryption keys (DEKs) by utilizing the customer’s master key. Organizations always retain a backup of the master key in case it is lost or needs to be revoked.
While BYOK gives customers more control than using provider-managed keys, the cloud provider ultimately stores and manages the key within their infrastructure. Although you possess the key, the provider still has access to it and may be required to disclose it to third parties due to legal obligations.
Benefits of BYOK:
- Greater control than default cloud provider-managed encryption (PMKE).
- Helps meet compliance and regulatory standards, including GDPR, HIPAA, or ISO 27001.
- Easy integration with most major cloud platforms, for example, AWS KMS, Azure Key Vault, Google Cloud KMS.
- Offers more control without completely re-architecting your cloud usage.
- Ideal for organizations that lack the infrastructure or expertise to fully manage keys on-premises.
Challenges of BYOK:
- BYOK may require additional infrastructure and processes for key management.
- Managing encryption keys may require additional resources for long-term planning and maintenance.
- Losing keys can lead to permanent data loss and necessitate an expensive backup and recovery plan.
- Safely distributing encryption keys in multi-cloud or hybrid settings can be difficult because of stringent security demands.
What is HYOK (Hold Your Own Key)?
HYOK gives organizations full control over their cryptographic keys; encryption keys never leave your environment. Keys are stored and managed entirely by your organization, outside of the cloud infrastructure, typically on-premises, in an HSM, or private cloud. Any encryption or decryption operations that involve the key must either happen locally or use secure channels to access your key remotely.
This gives your organization complete control over the key and data. It guarantees that no third party, including your cloud provider, can access your encrypted data without your explicit permission.
Benefits of HYOK:
- Offers maximum data protection and privacy.
- No trust required in the cloud provider’s infrastructure.
- Sensitive data stays encrypted in the cloud, reducing exposure risk.
- Ideal for strict regulatory environments and data sovereignty compliance that require full key control.
- Best for highly sensitive and classified data (e.g., defense, finance, healthcare).
Challenges of HYOK:
- HSMs or other secure key storage solutions may be required.
- If the encryption keys are lost, data can be irretrievably lost.
- HYOK requires physical hardware for key storage, which can increase cost and complexity and create vulnerabilities like theft or damage.
- Using HSMs or secure key storage devices can make HYOK costly to establish and maintain.
Key Differences Between BYOK and HYOK
Feature | BYOK | HYOK |
Key Ownership | Customer | Customer |
Key Storage | Cloud provider (e.g. AWS KMS, Azure Key Vault, Google Cloud KMS) | Customer’s environment (e.g. on-premises, HSM, private cloud) |
Trust Model | Partial trust in cloud | Zero trust in cloud |
Integration Complexity | Lower | Higher |
Use Case Fit | Regulatory compliance, SaaS |
Ultra-sensitive data, Government data, Data sovereignty |
Support in Cloud | Widely supported | Limited availability |
When to Use BYOK and HYOK
Choosing between Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) depends on your organization’s specific security needs and compliance requirements. Selecting the appropriate model enables organizations to effectively balance operational efficiency, regulatory compliance, and data security.
BYOK is ideal for organizations that want to retain control over their encryption keys while ensuring compliance with data protection regulations, all without making significant changes to their cloud infrastructure. On the other hand, HYOK is suited for organizations handling highly confidential data in regulated sectors, where having complete authority over encryption keys is crucial to prevent unauthorized access. Both are effective options for enhancing your cloud data security, but they serve different purposes. BYOK strikes a balance between control and convenience, while HYOK offers the highest level of security and privacy.
The best choice depends on your organization’s risk profile, technical capacity, and regulatory requirements. For most enterprises, BYOK is a strong step forward. For those with more extreme privacy needs, HYOK is often the only acceptable option. It’s essential to carefully evaluate your threat model, compliance obligations, and cloud architecture before making a decision.
BYOK and HYOK Solutions for Microsoft 365
archTIS NC Encrypt allows customers to maintain control of their encryption keys in Microsoft 365. Offering HYOK and BYOK capabilities, NC Encrypt ensures that customers retain complete control over their data and encryption keys in M365. An optional integration with Thales CipherTrust Manager enables customers to leverage existing HSM and VSM keys with archTIS dynamic encryption policies in M365.