Upload Key

Upload Key

Overview


Bring Your Own Key (BYOK) is a feature that allows you to use your own key encryption key(KEK) instead of Zoho's KEK. You can add a key either from an External Key Manager (EKM) of your choice or upload an encrypted key manually.

If you choose to upload a key, the process is as follows:

  1. In accordance with our standard practice, data will be encrypted using a DEK managed by us and stored in our KMS. The DEK will further be encrypted using our KEK, which will be stored on a separate server.

  2. To upload your KEK, you will be required to extract the public key from a certificate we provide, which you will then use to encrypt and hash your key.

  3. Upload the encrypted KEK and hashed KEK in Zoho One.

  4. We will decrypt the DEK using our KEK to obtain plain DEK.

  5. This plain DEK will now be encrypted using the KEK provided by you.

You can configure a key for each application individually, group two or more applications, or configure a single key for all the applications in your organization.

The steps to upload key vary between the two User Interface versions supported in Zoho One. Select the UI version you use from the tabs below and proceed with the steps that follow.

Spaces UI
Unified UI
Spaces UI

To upload key,

1. Add a BYOK Certificate:

  1. Sign in to Zoho One , then click Directory on the top-right corner.

  2. Click Security.

  3. Click BYOK, then click Manage certificates in the top-right corner.

  4. Click Add certificates, provide a unique name for your certificate, and click Add. Hover over the added certificate and click the download icon.

Notes
Note: You can only add a maximum of two certificates.

 

2. To generate encrypted KEK:

Prerequisites:

  • "bcprov-jdk18on" jar with version greater than or equal to 1.78.1

 

Use the following Java code snippet to extract the public key from the downloaded certificate file and encrypt the key:

Click here to view the complete code snippet

/**
 * @param fileName
 *            - Downloaded FileName
 * @param plainKeyBytes
 *            - Generated Key Bytes
 * @return - Encrypted Key
 * @throws Exception
 */
	public static String encryptKeyWithPublicKey(String fileName, byte[] plainKeyBytes) throws Exception {

		PemReader reader = new PemReader(new FileReader(new File(fileName)));
		PemObject pemObject = reader.readPemObject();
		byte[] content = pemObject.getContent();
		reader.close();
		InputStream fin = new ByteArrayInputStream(content);
		CertificateFactory f = CertificateFactory.getInstance("X.509");
		X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
		PublicKey pk = certificate.getPublicKey();
		byte[] publicKeyBytes = pk.getEncoded();
		X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
		PublicKey publicKey = keyFactory.generatePublic(keySpec);
		Cipher encryptCipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
		OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSource.PSpecified.DEFAULT);
		encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParams);
		byte[] encryptedBytes = encryptCipher.doFinal(plainKeyBytes);
		return Base64.getEncoder().encodeToString(encryptedBytes);

	}

 

3. To generate hashed KEK:

Generate AES key hash value   using the below code snippet:

public static String getHashValue(byte[] plainKeyBytes) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] hashed = digest.digest(plainKeyBytes);
    return Base64.getEncoder().encodeToString(hashed);
}

 

4. To upload key:

  1. Sign in to Zoho One , then click Directory in the left menu.

  2. Click Admin Panel, then click Security.

  3. Click BYOK, then click Setup.


Notes
Click + Add key on the right if you already have a key added.


  1. In the Add key screen, enter the Key name, select applications, enable availability key if you want it to be used for data recovery in case of unavailability of the configured key, and choose your key type as Upload key.

Notes

Only one key can be applied to an app, and apps already assigned will not be listed under Available applications.


  1. Under Key details, select any one of the available certificates for which you have already generated Encrypted KEK and Hashed KEK.

Note: You can add a certificate by clicking the + icon next to the Available certificates and generate encrypted KEK and hashed KEK using the above mentioned Java code snippets.

  1. Browse and upload the hashed KEK as a .txt file.

  2. Browse and upload the encrypted KEK as a .txt file.

  3. Click Add.



Unified UI

To upload key,

1. Add a BYOK Certificate:

  1. Sign in to Zoho One , then click Directory in the left menu.

  2. Click Security.

  3. Click BYOK, then click Manage certificates in the top-right corner.

  4. Click Add certificates, provide a unique name for your certificate, and click Add. Hover over the added certificate and click the download icon.

Notes
Note: You can only add a maximum of two certificates.

 

2. To generate encrypted KEK:

Prerequisites:

  • "bcprov-jdk18on" jar with version greater than or equal to 1.78.1

 

Use the following Java code snippet to extract the public key from the downloaded certificate file and encrypt the key:

Click here to view the complete code snippet

/**
 * @param fileName
 *            - Downloaded FileName
 * @param plainKeyBytes
 *            - Generated Key Bytes
 * @return - Encrypted Key
 * @throws Exception
 */
	public static String encryptKeyWithPublicKey(String fileName, byte[] plainKeyBytes) throws Exception {

		PemReader reader = new PemReader(new FileReader(new File(fileName)));
		PemObject pemObject = reader.readPemObject();
		byte[] content = pemObject.getContent();
		reader.close();
		InputStream fin = new ByteArrayInputStream(content);
		CertificateFactory f = CertificateFactory.getInstance("X.509");
		X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
		PublicKey pk = certificate.getPublicKey();
		byte[] publicKeyBytes = pk.getEncoded();
		X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
		PublicKey publicKey = keyFactory.generatePublic(keySpec);
		Cipher encryptCipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
		OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSource.PSpecified.DEFAULT);
		encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParams);
		byte[] encryptedBytes = encryptCipher.doFinal(plainKeyBytes);
		return Base64.getEncoder().encodeToString(encryptedBytes);

	}

 

3. To generate hashed KEK:

Generate AES key hash value   using the below code snippet:

public static String getHashValue(byte[] plainKeyBytes) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] hashed = digest.digest(plainKeyBytes);
    return Base64.getEncoder().encodeToString(hashed);
}

 

4. To upload key:

  1. Sign in to Zoho One then click Directory in the left menu.

  2. Click Admin Panel, then click Security.

  3. Click BYOK, then click Setup.

Click + Add key on the right if you already have a key added.


  1. In the Add key screen, enter the Key name, select applications, enable availability key if you want it to be used for data recovery in case of unavailability of the configured key, and choose your key type as Upload key.

Only one key can be applied to an app, and apps already assigned will not be listed under Available applications.


  1. Under Key details, select any one of the available certificates for which you have already generated Encrypted KEK and Hashed KEK.

Note: You can add a certificate by clicking the + icon next to the Available certificates and generate encrypted KEK and hashed KEK using the above mentioned Java code snippets.

  1. Browse and upload the hashed KEK as a .txt file.

  2. Browse and upload the encrypted KEK as a .txt file.

  3. Click Add.