You can enable the security benefits of Bring Your Own Key (BYOK) by importing your own root of trust encryption keys, called Customer Root Keys (CRKs), into the service. With the Key Protect API, you can use a CRK to wrap (encrypt) and unwrap (decrypt) the keys that are associated with your data resources, so you control the security of your encrypted data in the cloud.

You can generate, store, and manage your keys with a secure, application-friendly, cloud-based key management solution for encryption keys.

Keys are wrapped by keys that are, in turn, protected by a cloud-based HSM. The HSMs are at FIPS-140-2 Level 2. When keys are deleted, they can never be recovered, and any data that is encrypted under those keys can't be recovered. All programmatic interfaces are secured by TLS and mutual authentication.

Whether you are a developer who requires only a few keys or a large enterprise that needs millions, Key Protect can scale to your needs.

When you write applications, Key Protect's standard programmatic APIs generate, store, retrieve, and manage your keys, independent of your application's logic. For example, you can create applications that encrypt data in custom databases, or use encrypted block storage in an application-specific format.