Bring Your Own Key (BYOK)

BYOK empowers businesses to protect their data by placing encryption keys firmly in their control.

It provides peace of mind and assurance that no matter where data resides, it is secure and managed according to their terms.

What is Bring Your Own Key (BYOK)?

Bring Your Own Key (BYOK)is a security framework that allows organizations to generate, control, and manage their own encryption keys, even when using third-party services such as cloud platforms or Software-as-a-Service (SaaS) solutions. This approach ensures that sensitive data stored or processed in external environments remains secure and under the organization's control, not the service provider's.

In a BYOK model, the organization retains ownership and authority over the encryption keys, deciding when and how they are used. The keys are typically created in secure environments, such as hardware security modules (HSMs), and are then securely transferred to the third-party service while ensuring compliance with industry regulations and internal policies. Engage Black offers BlackVault HSMs to support BYOK.

Cloud Service Providers supporting BYOK

Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce all support BYOK. See below Engage Black integration guides:

EngageBlack Products

Certificate Authority
Circuit Encryption

EngageBlack Products

Certificate Authority
Circuit Encryption

What is Bring Your Own Key (BYOK)?

Bring Your Own Key (BYOK)is a security framework that allows organizations to generate, control, and manage their own encryption keys, even when using third-party services such as cloud platforms or Software-as-a-Service (SaaS) solutions. This approach ensures that sensitive data stored or processed in external environments remains secure and under the organization's control, not the service provider's.

In a BYOK model, the organization retains ownership and authority over the encryption keys, deciding when and how they are used. The keys are typically created in secure environments, such as hardware security modules (HSMs), and are then securely transferred to the third-party service while ensuring compliance with industry regulations and internal policies.

Cloud Service Providers supporting BYOK

Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce all support BYOK. See below Engage Black integration guides:

BlackVault HSM BYOK Integrations

Integration Guides

Microsoft Azure Key Vault BYOK Integration Guide

Google Cloud Key Management (Google KMS) and Google Compute Engine BYOK Integration Guide

Amazon Web Services (AWS) BYOK Integration Guide

Microsoft Azure Key Vault BYOK Integration Guide

Google Cloud Key Management (Google KMS) and Google Compute Engine BYOK Integration Guide

Amazon Web Services (AWS) BYOK Integration Guide

Advantages of Bring Your Own Key (BYOK)

1. Full Control Over Encryption Keys

With BYOK, organizations retain complete ownership and management of their encryption keys. This ensures no third-party service provider can access or misuse the keys without explicit authorization.

2. Enhanced Security

Encryption keys are often generated and stored in tamper-resistant environments like HSMs. This protects them from unauthorized access, theft, or cyberattacks.

3. Data Sovereignty and Privacy Compliance

BYOK helps organizations comply with data privacy regulations such as GDPR, HIPAA, CCPA, and NIST SP 800-171 by allowing them to maintain jurisdiction over their encryption keys and data.

4. Cloud and SaaS Flexibility

BYOK ensures that even when data is hosted in a third-party cloud environment, organizations maintain control over the encryption process. This allows for secure data sharing and processing in the cloud without compromising ownership.

5. Key Revocation and Lifecycle Management

Organizations can revoke or rotate keys as needed, providing flexibility and control over their data's lifecycle in case of a security breach or policy change.

6. Protection Against Insider Threats

BYOK minimizes the risk of insider threats at service providers by ensuring encryption keys are never fully exposed to their infrastructure.

Common Use Cases of BYOK

Regulated Industries

Financial services, healthcare, and government agencies often adopt BYOK to meet compliance standards like GDPR, HIPAA, or FIPS.

Intellectual Property Protection

Businesses dealing with sensitive intellectual property use BYOK to protect trade secrets from unauthorized access.

Hybrid and Multi-Cloud Environments

Organizations operating in multiple cloud ecosystems or a mix of on-premises and cloud environments use BYOK for consistent encryption practices.

Legal and Professional Services

Encrypt client case files and correspondence.

How Engage Black Supports BYOK

Tamper-Resistant Security

Protects keys with hardware-based authentication and tamper-resistant design.

Compliance Enablement

Meets strict security standards like FIPS 140-2 Level 3 and NIST SP 800-171.

Cloud Compatibility

Facilitates secure key export to major cloud platforms while maintaining control.

Operational Efficiency

Simplifies key lifecycle management, including generation, rotation, and revocation.

BlackVault Hardware Security Platform

 

  • Maintain FIPS 140-2 Level 3 security and have a full range of applications and capabilities

  • Perform Key Management, Cryptography, and Certificate Creation

  • Utilize AES, RSA EC, and DSA key types.

  • Sign using various hashes including but not limited to SHA256, SHA384, and SHA512.

  • Easily integrates into a variety of applications, supporting numerous crypto APIs including PKCS#11, Java (JCE) and Microsoft CAPI / CNG, across a variety of operating systems. 
BlackVault HSM (Hardware Security Module) Touchscreen FIPS 140-2 Level 3
BlackVault HSM (TouchScreen)

General Purpose FIPS 140-2 Level 3 Hardware Security Module

  • Networked and off-line operation with ethernet and USB ports
  • Integrated touchscreen display
  • Security, compliance, and ease of use paramount
  • Tamper reactive silicon die shield
  • Embeddable form factor
  • Fully redundant cababilities

DIMENSIONS

4"(L) x 6"(W) x 1"(H)

BlackVault HSM.TAC (Hardware Security Module) FIPS 140-2 Level 3
BlackVault HSM.TAC

Tactically deployable model allows a fully secure, turnkey solution while avoiding the size, wieght and power consumption of traditional HSMs

  • Rugged
  • Small Form Factor 
  • Extended Temperature Range
  • Wide array of tactical infrastructure use cases

DIMENSIONS

4"(L) x 6"(W) x 1"(H)

BlackVault HSM.RAS (Hardware Security Module) FIPS 140-2 Level 3
BlackVault HSM.RAS

Affordable commercial grade model with an integrated Smart Card reader that utilizes an extruded aluminum case for secure mounting

  • Compact form factor
  • Smart card reader
  • Tamper reactive silicon die shield 
  • Long battery life

DIMENSIONS

4"(L) x 6"(W) x 1"(H)

BlackVault Accessories

BlackVault Accessories

Security Lock Cable

BlackVault HSM.TAC (Hardware Security Module) FIPS 140-2 Level 3

Rack Mounted Locking Drawer

BlackVault HSM.TAC (Hardware Security Module) FIPS 140-2 Level 3

Integration Guides

Integration Guides

Red Hat Certificate System Integration Guide

Microsoft Certificate Authority Integration Guide

ISC's CertAgent Certificate Authority Integration Guide

Red Hat Certificate System Integration Guide

Microsoft Certificate Authority Integration Guide

ISC's CertAgent Certificate Authority Integration Guide

EJBCA Integration Guide

Java Jar Integration Guide

Watchguard Integration Guide

EJBCA Integration Guide

Java Jar Integration Guide

Watchguard Integration Guide

Authenticode Integration Guide

Android Dev Studio Integration Guide

Eclipse Integration Guide

Authenticode Integration Guide

Android Dev Studio Integration Guide

Eclipse Integration Guide

BlackVault HSM Overview

 

The BlackVault Hardware Security Module (HSM) is a network attached general purpose FIPS 140-2 Level 3 HSM with unique functionality making authentication, security, compliance, and ease of use paramount.

Public Key Cryptography for generating and protecting public and private keys.

 

Powerful Features
Its powerful features include a compact form factor, smart card reader, integrated touch screen color display, tamper reactive silicon die shield, long battery life, networked and off-line operation with Ethernet and USB ports, and much more.

 

BV Tool
Is a Powerful, easy to use, PKCS#11 CLI tool able to perform many different cryptographic operations that comes with every BlackVault HSM and works on Windows/Linux/MacOS both physical and virtualized. Some of the functions are:

Key Management

• Create Keys

• Delete Keys

• Key Import/Export 
Wrap/Unwrap

 

Create Certificates

• CSRs

• Certificates

• Self-Signed Certificates

 

 As Well as...

• Sign/Verify Files

• Encrypt/Decrypt Files

 

Able to utilize AES, RSA EC, and DSA key types. Sign using various hashes including but not limited to SHA256, SHA384, and SHA512.

 

Easy to Integrate

BlackVault easily integrates into a variety of applications, supporting numerous crypto APIs including PKCS#11, Java (JCE) and Microsoft CAPI / CNG, across a variety of operating systems.

SDK comes with a purchase of an HSM designed to help you integrate your application with the BlackVault through its PKCS#11 interface.

- Includes example code of Python and C++


Simple easy to use integration guides with step by step walkthroughs to get you up and running with a variety of applications including: 

• Authenticode

• Eclipse

• Android Dev Studio

• Java

• Microsoft Active Directory Certificate Services 

 

Portable / Embeddable Form Factor
Its compact “hard drive” form-factor and redundant, battery-backed, solid state key storage allow BlackVault to be moved to a secure room or safe without loss or compromise of root keys or other cryptographic material. Its small form factor with USB connection and power also supports mounting BlackVault within application servers and other compact environments.

 

Trusted Path Authentication
The intuitive touch screen display with randomized keypad provides a certified trust path for configuration, PIN entry, and backup operations. This eliminates the risk of compromise from intermediary software or devices.

In addition, the integrated smart card reader facilitates two-factor authentication, and advanced “M of N” Quorum approval.  This ensures that no single individual can authorize administrative or operational actions.

 

Real Time Audits

Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion.

 

Military Grade Tamper Reactive
BlackVault cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault safe to transport. When a tamper event is detected, the Cryptographic keys are zeroized (deleted).

 

Ideal for Many Applications

The BlackVault is an independently certified standards based network attached hsm (hardware security module) that performs key management and cryptographic operations for enterprises, certificate authorities, government, and a growing list of organizations requiring strong security for PKI, digital certificates, code signing, document signing, cryptographic key storage, data encryption, key generation and regulatory compliance in cloud companion, networked and off-line (air-gap) operations.

 
BlackVault HSM Overview

 

The BlackVault Hardware Security Module (HSM) is a network attached general purpose FIPS 140-2 Level 3 HSM with unique functionality making authentication, security, compliance, and ease of use paramount.

Public Key Cryptography for generating and protecting public and private keys.

 

Powerful Features
Its powerful features include a compact form factor, smart card reader, integrated touch screen color display, tamper reactive silicon die shield, long battery life, networked and off-line operation with Ethernet and USB ports, and much more.

 

BV Tool
Is a Powerful, easy to use, PKCS#11 CLI tool able to perform many different cryptographic operations that comes with every BlackVault HSM and works on Windows/Linux/MacOS both physical and virtualized. Some of the functions are:

Key Management

• Create Keys

• Delete Keys

• Key Import/Export 
Wrap/Unwrap

 

Create Certificates

• CSRs

• Certificates

• Self-Signed Certificates

 

 As Well as...

• Sign/Verify Files

• Encrypt/Decrypt Files

 

Able to utilize AES, RSA EC, and DSA key types. Sign using various hashes including but not limited to SHA256, SHA384, and SHA512.

 

Easy to Integrate

BlackVault easily integrates into a variety of applications, supporting numerous crypto APIs including PKCS#11, Java (JCE) and Microsoft CAPI / CNG, across a variety of operating systems.

SDK comes with a purchase of an HSM designed to help you integrate your application with the BlackVault through its PKCS#11 interface.

- Includes example code of Python and C++


Simple easy to use integration guides with step by step walkthroughs to get you up and running with a variety of applications including: 

• Authenticode

• Eclipse

• Android Dev Studio

• Java

• Microsoft Active Directory Certificate Services 

 

Portable / Embeddable Form Factor
Its compact “hard drive” form-factor and redundant, battery-backed, solid state key storage allow BlackVault to be moved to a secure room or safe without loss or compromise of root keys or other cryptographic material. Its small form factor with USB connection and power also supports mounting BlackVault within application servers and other compact environments.

 

Trusted Path Authentication
The intuitive touch screen display with randomized keypad provides a certified trust path for configuration, PIN entry, and backup operations. This eliminates the risk of compromise from intermediary software or devices.

In addition, the integrated smart card reader facilitates two-factor authentication, and advanced “M of N” Quorum approval.  This ensures that no single individual can authorize administrative or operational actions.

 

Real Time Audits

Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion.

 

Military Grade Tamper Reactive
BlackVault cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault safe to transport. When a tamper event is detected, the Cryptographic keys are zeroized (deleted).

 

Ideal for Many Applications

The BlackVault is an independently certified standards based network attached hsm (hardware security module) that performs key management and cryptographic operations for enterprises, certificate authorities, government, and a growing list of organizations requiring strong security for PKI, digital certificates, code signing, document signing, cryptographic key storage, data encryption, key generation and regulatory compliance in cloud companion, networked and off-line (air-gap) operations.

 

So What’s Next?

WE’RE READY!

Engage logo 990000 rev 2.000
9565 Soquel Drive Dr,
Aptos, CA 95003
 
Telephone: +1-831-688-1021
Toll Free : +1-877-ENGAGE4
Designed, Fabricated, and Assembled
in America icon
Supported Worldwide