Cloud and Cloud-Native Security (Part 2): Modern Cloud Key Management with BYOK

By Amit Kulkarni posted Sat December 26, 2020 10:07 PM


Aspera on Cloud can encrypt files at rest either by using a password set by client or a password configured on server. These methods ensure that both the data and key used to encrypt data remain encrypted at rest. Some organizations however, may want to retain more control over their data and encryption. In such cases, these businesses may not want a storage/service provider holding the key that could unlock their data. Additionally, organizations may require fine grained control of key material, ability to monitor key usage and control over the lifecycle of key.

The availability of modern, application-independent, REST API aware, highly available and scalable key management services like IBM Key Protect has enabled us to create modern security solutions in Aspera on Cloud that offer more control of key material to customers.

Bring your own key (BYOK) is a cloud computing security model which empowers customers to manage and use their own encryption keys. BYOK offers the freedom, flexibility and self-service that customers desire. It transfers the control of keys from object storage provider/transfer service provider to the customer. Using their own key management service (KMS) account, customers can now rely on hardware security modules (HSM) to generate and protect their master keys (eg. via IBM Key Protect).

Most importantly, BYOK allows customers to follow the "Segregation of Duties security principle" (concept of having more than one person/entity required to complete a task). Key management ideally should be separated from the storage provider. This provides the greatest protection against both an external breach of the service provider as well as an attack originating from a privileged user/employee of the provider.

Let's understand the fundamental underpinnings of this service in Aspera on Cloud.

Envelope Encryption

Let's say our organization requires us to encrypt every file with a unique data encryption key. We can request a cloud KMS to provide a secure high quality unique random key. The KMS will however charge us for every API request or key. Though this preliminary solution meets our needs, it is less than ideal to scale with growing number of files. "Envelope encryption" solves this problem with a single unique key that can encrypt thousands of other keys.

Envelope encryption

DEK: Data encryption key is the symmetric key used to encrypt/decrypt a file

Root key/master key: Key used to encrypt/decrypt data encryption keys

In the envelope encryption model, we can continue to generate and use a unique high quality key to encrypt every file. However, thousands of such keys can be encrypted by a single "root/master key" that never leaves the key management service. Instead of paying for several versions of thousands of keys, we can achieve our goal with a few root keys.


  1. Encrypt a file with a unique data encryption key (DEK)

  2. Wrap/Encrypt the DEK with a root key in IBM Key Protect (KMS) and store both the encrypted DEK and encrypted file together

  3. During decryption, encrypted DEK is sent to KMS. KMS unwraps/decrypts it to generate the original DEK that was used during encryption

  4. Decrypt the file using the unwrapped/decrypted DEK

BYOK in Aspera on Cloud follows the same "Envelope encryption" model and allows customers to bring their own root keys.
There are several advantages to this model:

  • Data is encrypted with a unique DEK

  • DEK is encrypted with a root key that lives separately in a KMS and never leaves the KMS

  • Encrypted data sits with encrypted key and hence the data is safe

  • Rotating a root key will require rewrapping just the DEK and not the entire file

  • DEK need not be stored/maintained by anyone

  • Follows "Segregration of duties" principle - Data does not reside with the plaintext key

BYOK Fireside chat

[Q] Does Aspera on Cloud get a copy of my root/master key from IBM Key Protect to wrap the DEK?

[A] Your root/master key used to wrap/encrypt a DEK never leaves your IBM Key Protect.

[Q] How does IBM Key Protect store my root key?

[A] Your keys are secured in IBM Key Protect by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs). HSMs are tamper-resistant hardware devices that store and use cryptographic key material without exposing keys outside of a cryptographic boundary.

[Q] My organization wants to limit the data and DEKs protected by a single root key. Can I rotate root keys?

[A] Absolutely. You can either rotate the keys manually or set an automatic key rotation schedule in IBM Key Protect

[Q] Does IBM Key Protect meet my security and compliance requirements? What about GDPR?

[A] IBM Key Protect meets controls for global, industry, and regional compliance standards, including GDPR, HIPAA, and ISO 27001/27017/27018, and others. More information can be found here.

[Q] Which encryption algorithm is used for key operations in IBM Key Protect?

[A] IBM Key Protect service uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) for its key operations. (Encryption keys and algorithm)

[Q] What's my best strategy to temporarily restrict access to my cloud data?

[A] You can disable access to your data any time by disabling your root key. When you disable a root key, you suspend its encrypt and decrypt operations. Since the root key cannot decrypt any DEKs, data cannot be decrypted. You can restore access to data by enabling the disabled root key.

[Q] A follow-up to the above question. Since Aspera on Cloud can access my IBM Key Protect, can it enable/disable the root key?

[A] That would be counter productive! The answer is No. Aspera on Cloud has a service ID API key with a policy that requires "Reader" role access to your IBM Key Protect. This role does not have permissions to disable/enable root keys. More information of roles and their capabilities can be found here.

[Q] How is my DEK protected in Aspera on Cloud?

[A] DEK is securely discarded as soon as the encryption or decryption process is complete. Aspera on Cloud does not store the DEK.

[Q] What are the additional steps for Aspera on Cloud standard users to enable BYOK for their uploads/downloads?

[A] No additional steps are required for standard users. BYOK is a transparent background service that doesn't affect the workflow of a standard AoC end user.

[Q] How does Aspera on Cloud rewrap my existing DEKs if I rotate my root key in IBM Key Protect?

[A] After a rotation completes, a new key version becomes available for protecting DEKs. Retired root key versions moves to the Deactivated state, where they can only be used to unwrap older DEKs that aren't yet protected by the latest root key. When a file/package download is requested in Aspera on Cloud after a key rotation, the wrapped DEK is sent to IBM Key Protect for unwrapping. The service detects that the DEK is wrapped with a retired root key version. So, it uses the retired version of root key to unwrap the DEK, automatically reencrypts the DEK and returns a wrapped data encryption key (WDEK) that's based on the latest root key.

[Q] Can I monitor the root key usage?

[A] Yes. You can get detailed audit logs for all KMS operations using IBM Key Protect Activity Tracker events. The Activity Tracker service can be used to track how applications interact with IBM Key Protect (Wrap/Unwrap/Rewrap and more). For more information regarding the Activity Tracker service, see the getting started tutorial for IBM Cloud Activity Tracker with LogDNA.

[Q] If I create root keys using IBM Key Protect, how does that let me bring my own key?

[A] Some businesses want to fully control and strengthen their key management practices by generating strong keys from their on-premises hardware security module (HSM) instead of using a KMS to generate root keys. IBM Key Protect allows you to securely import your root key material into your Key Protect instance by using an import token.

[Q] I understand Aspera on Cloud supports IBM Key Protect as the KMS. Does that mean BYOK service can be used for IBM Cloud Object Storage only?

[A] Here's the good news! BYOK in Aspera on Cloud is a cloud agnostic solution! Once you create a KMS profile in Aspera on Cloud with a root key of your IBM Key Protect, it can be attached to ATS nodes in different clouds. For example: A KMS profile with a root key from your IBM Key Protect can protect your data stored in AWS S3 buckets. BYOK in Aspera on Cloud supports the the following storage types:

Have more questions?

What other questions do you have? Let me know in comments!

If you enjoyed this blog post, share it with a friend/colleague.


[1] Bring Your Own Key for Server-Side Encryption at Rest

[2] Protecting data with envelope encryption

[3] Bringing your encryption keys to the cloud