A financial services company is migrating sensitive customer data to the cloud. They require that encryption keys be generated and stored on-premises in their own hardware security module (HSM), with the cloud provider never having access to the plaintext keys. Which key management model should they implement?
Trap 1: Customer-managed encryption keys (CMEK)
CMEK uses keys created and managed by the customer in the cloud KMS, but the keys are still stored in the cloud.
Trap 2: Bring your own key (BYOK)
BYOK allows importing keys generated on-premises into the cloud KMS, but once imported, the cloud provider has access to the key material.
Trap 3: Cloud provider default encryption (SSE-S3)
The cloud provider manages the keys, which does not meet the requirement of keeping keys on-premises.
- A
Customer-managed encryption keys (CMEK)
Why wrong: CMEK uses keys created and managed by the customer in the cloud KMS, but the keys are still stored in the cloud.
- B
Bring your own key (BYOK)
Why wrong: BYOK allows importing keys generated on-premises into the cloud KMS, but once imported, the cloud provider has access to the key material.
- C
Cloud provider default encryption (SSE-S3)
Why wrong: The cloud provider manages the keys, which does not meet the requirement of keeping keys on-premises.
- D
Hold your own key (HYOK)
HYOK keeps keys on-premises in the customer's HSM, and the cloud provider does not have access to the plaintext keys.