Product documentation
Support homeSupport requestsSystem statusTrust center

Bring and Hold Your Own Key

Suggest Edits

Strivacity fully supports both Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) security models. BYOK and HYOK are key management models that are used in data security, particularly in SaaS products like Strivacity to give organizations greater control over their encryption keys and, by extension, their data.

Strivacity uses the AWS Key Management Service (KMS) to encrypt customer data in its AWS infrastructure, and through this process allows you, the customer to supply and hold your own encryption keys for enhanced control over your data that Strivacity stores.

What is Bring Your Own Key (BYOK)?

BYOK is a specific security model where an organization generates, manages, and supplies its encryption keys to Strivacity. You as the organization retain control of the keys while we, Strivacity manage the encryption and decryption processes as part of its service.

Advantages:

  • Greater control over data encryption keys.
  • Compliance with regulatory requirements that mandate key ownership.
    Flexibility in terms of migrating data between cloud providers or on-premises environments.

Risks:

  • Strivacity still has some access to the keys (stored using our Key Management Service), which may pose risks in certain industries requiring very stringent data security policies.

What is Hold Your Own Key (HYOK)?

HYOK takes the key management a step further by allowing you to maintain full control over both the keys and the encryption/decryption process. In this model, you keep the encryption keys in your own Key Management Service, and Strivacity never sees or stores your keys.

Advantages:

  • Maximum control and security over encryption keys since the keys never leave the organization’s control.
  • Useful in highly regulated industries with strict compliance requirements.
  • Provides enhanced protection against any threats or external attacks targeting Strivacity.

Risks:

  • More complex to implement and manage since the organization is responsible for the entire encryption process.
  • If the encryption keys are lost or compromised by your organization, you could lose access to your data thats held with Strivacity - permanently.

Setting up Strivacity to use your own keys

❗️

Support for BYOK and HYOK has to be designated prior to the provisioning of the Strivacity instance. Please contact your Customer Success representative prior to provisioning in order to complete this process.

Use the follow steps to get started:

  1. Creating a KMS Key in the Customer's AWS Account

The first step is to generating a KMS key within your own AWS account (referred to as the "Customer" AWS account). Upon completion of the this process, this key will later be shared with Strivacity to enable cross-account usage.

Steps for creating the KMS key:

  • In the AWS Management Console, navigate to KMS and create a new key
  • When configuring the key, ensure that you assign a meaningful name to identify it for future reference
  1. Configuring Cross-Account Access

Once the key has been created, you need to enable Strivacity to use this key from your Key Management Service, you must grant specific permissions to Strivacity’s AWS account.

Steps for granting Strivacity access to the KMS key:

  • During the key creation process, under the Other AWS Accounts section, specify Strivacity's AWS account ID as an authorized account

📘

Please contract you Strivacity Support or your Customer Success representative in order to obtain the Strivacity AWS account ID.

  • This allows Strivacity to use the KMS key for encrypting data for you Strivacity instance
  1. Sharing the Key ARN with Strivacity

Once the key is configured and ready, you will need to share the Amazon Resource Name (ARN) of the newly created KMS key with Strivacity. The ARN uniquely identifies the key and enables Strivacity to reference it for encryption operations.

Example ARN format:

arn:aws:kms:<region>:<account-id>:key/<key-id>
  1. Data Encryption in Strivacity's AWS Environment

After receiving the ARN, Strivacity uses the KMS key to provision the instance and encrypt all of your data. This allows Strivacity to manage and process the encrypted data, while you, the customer retain ownership and control over the encryption keys.

Updated 9 days ago