Welcome to Portal

?Unknown\pull-down

Welcome to Zoho Cares

Bienvenido a Soporte de Zoho

Search our knowledge base, ask the community or submit a request.

Add key from an External Key Manager


Overview

Bring Your Own Key (BYOK) is a feature that allows you to use your own key encryption key(KEK) instead of Zoho's KEK. You can add a key either from an External Key Manager (EKM) of your choice or upload an encrypted key manually.

If you choose to provide access to your own KEK from an External key manager, it will be used to encrypt or decrypt the DEKs we provide. This ensures that the data security rests in your control, thus enhancing the security of your organization.
The process is as follows:

  1. After you configure your key in Zoho Directory, we will send a request to your EKM to have our DEKs encrypted.

  2. The encrypted DEK returned from the EKM will be stored in our in-house KMS.

  3. To decrypt the encrypted DEK, we will send a decrypt request to your EKM using the stored ciphered text and receive plain DEK.

  4. The plain DEK will be cached only for the duration allowed by you, after which we will send encrypt/decrypt requests to EKM again, repeating the entire process.

Notes
Note: Encryption or decryption of data will not function if the External Key from the External key manager (EKM) is modified or inaccessible.

Add key

  1. Sign in to Zoho Directory .

  2. Click Admin Panel, then click Security.

  1. Click BYOK, then click Setup.

    NotesNote: Click Add key on the right if you already have a key added.


  1. In the Add key screen, enter the Key name, select applications, and choose your key type as External key manager.


NotesNote: The key name cannot be edited if you've chosen all available apps. Only one key can be applied to an app, and apps already assigned will not be listed under Available applications.

  1. Under Key details, provide the necessary details about your key provider.

  • If you select your Key provider as AWS,
    enter the Client ID, Client secret, key ID, and Region.


  • If you select your Key provider as Google KMS,
    enter the Key ring, Key ring name, Key version, and Location, upload the Service account key in JSON format, and toggle on Raw encrypt.


  • If you select your Key provider as Thales CTM,
    enter the User name, Password, Key ID, and Domain.

  • If you select your Key provider as Fortanix DSM,
    enter the API key, Key ID, and Domain.

  1. Select the required cache duration from the drop-down list.

  2. Click Add.

Notes
Note: When configuring BYOK for a specific service, the app will be removed from the default key. The app will be added back to the default key if the particular BYOK key is deleted.

 


Helpful?00
Updated: 1 month ago
Share :
Follow

Subscribe to receive notifications from this article.

On this page