Add key from an External Key Manager
Overview
Bring Your Own Key (BYOK) is a feature that allows you to use your own key encryption key(KEK) instead of Zoho's KEK. You can add a key either from an External Key Manager (EKM) of your choice or upload an encrypted key manually.
If you choose to provide access to your own KEK from an External key manager, it will be used to encrypt or decrypt the DEKs we provide. This ensures that the data security rests in your control, thus enhancing the security of your organization.
The process is as follows:
After you configure your key in Zoho One, we will send a request to your EKM to have our DEKs encrypted.
The encrypted DEK returned from the EKM will be stored in our in-house KMS.
To decrypt the encrypted DEK, we will send a decrypt request to your EKM using the stored ciphered text and receive plain DEK.
The plain DEK will be cached only for the duration allowed by you, after which we will send encrypt/decrypt requests to EKM again, repeating the entire process.
Sign in to Zoho One
, then click Directory icon on the top-right corner.
Click Security.
- Click BYOK, then click Setup.Note: Click Add key on the right if you already have a key added.
In the Add key screen, enter the Key name, select applications, enable availability key if you want it to be used for data recovery in case of unavailability of the configured key, and choose your key type as External key manager.
Only one key can
be applied to an app.
Under Key details, provide the necessary details about your key provider.
If you select your Key provider as AWS,
enter the Client ID, Client secret, key ID, and Domain.
If you select your Key provider as Google KMS,
enter the Key ring, Key name, Key version, and Location, upload the Service account key in JSON format, and toggle on Raw encrypt.
If you select your Key provider as Thales CTM,
enter the User name, Password, Key ID, and Domain.
If you select your Key provider as Fortanix DSM,
enter the API key, Key ID, and Domain.
If you select your Key provider as HSM, enter the Key name, CKU user password, and HSM label.
If you select your Key provider as Azure, enter the Client ID, Client secret, OAuth 2.O token endpoint (v2), Key identifier URL.
If you select your Key provider as Futurex, enter the API key, Key ID, and Domain.
Select the required cache duration from the drop-down list.
Click Check Key to validate the entered key credentials.
Click Add.
Sign in to Zoho One
, then click Directory in the left menu.
Click Security.
Click BYOK, then click Setup.
Note: Click Add key on the right if you already have a key added.
In the Add key screen, enter the Key name, select applications, enable availability key if you want it to be used for data recovery in case of unavailability of the configured key, and choose your key type as External key manager.
Under Key details, provide the necessary details about your key provider.
- If you select your Key provider as AWS,
enter the Client ID, Client secret, key ID, and Domain. - If you select your Key provider as Google KMS,
enter the Key ring, Key name, Key version, and Location, upload the Service account key in JSON format, and toggle on Raw encrypt. - If you select your Key provider as Thales CTM,
enter the User name, Password, Key ID, and Domain. - If you select your Key provider as Fortanix DSM,
enter the API key, Key ID, and Domain. - If you select your Key provider as HSM, enter the Key name, CKU user password, and HSM label.
- If you select your Key provider as Azure, enter the Client ID, Client secret, OAuth 2.O token endpoint (v2), Key identifier URL.
- If you select your Key provider as Futurex, enter the API key, Key ID, and Domain.
Select the required cache duration from the drop-down list.
Click Check Key to validate the entered key credentials.Click Add.