Tuesday, July 20, 2021

Cloud Security: BYOK vs. KYOK explained

Keep and bring your own key
When talking about cloud security and key management systems (KMS) for data encryption, we often hear the terms BYOK and KYOK. But what do they mean and what is the difference? Let me try to explain in this quick write-up. BYOK stands for "bring your own key" and refers to the ability to import an existing - your own - encryption root key into a (cloud-based) key management system.

Imprint the HSM

Typically, the KMSs are backed by hardware security modules (HSM), special tamper-proof hardware for performing cryptographic operations. Before a HSM can be utilized, it needs to be initalized, the crypto unit imprinted, the master key loaded and the so-called root of trust established.

Dedicated vs. shared crypto unit

For cost reasons and to provide a simpler self-service approach, most of the cloud-based offerings are multi-tenant KMS. That means, the cloud provider has already imprinted the HSM and therefore owns the root of trust. Thus, as a user you can bring your own key, but you kind of hand it over to the cloud provider who manages the KMS.

To really keep your own key (KYOK), you need to control the KMS and initialize it. This can only be done when utilizing a dedicated HSM like, e.g., IBM Cloud Hyper Protect Crypto Services. After provisioning the service, you or the crypto administrators have to perform the setup steps. As consequence, you own the root of trust and, when importing your existing keys, can keep your own keys.


The difference between just bringing your own key (BYOK) to owning your own key (KYOK) is about the operating model of the key management system and its hardware security module. Is it a shared or dedicated service. IBM Cloud offers Key Protect with shared (BYOK) and Hyper Protect Crypto Services with dedicated (KYOK) infrastructure.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.