|Bring Your Own Encryption (BYOE)||
|Bring Your Own Key-Cloud HSM||
|Bring Your Own Key-Cloud KMS||
Encryption key management software is used to handle the administration, distribution, and storage of encryption keys. Proper management will ensure encryption keys, and therefore the encryption and decryption of their sensitive information, are only accessible for approved parties. IT and security professionals use these solutions to ensure access to sensitive data remains secure.
Encryption key management software also provides tools to protect the keys in storage and backup functionality to prevent data loss. Additionally, encryption key management software includes functionality to securely distribute keys to approved parties and enforce key sharing policies.
Certain general encryption software provides key management capabilities. Still, those solutions will only offer limited features for key management, distribution, and policy enforcement.
To qualify for inclusion in the Encryption Key Management category, a product must:
- Provide compliance management capabilities for encryption keys
- Include key storage and backup functionality
- Enforce security policies related to key storage and distribution
A software key management approach can be used instead of an HSM based SaaS approach or a cloud KMS approach. Also, secrets management is an efficient approach to manage secrets, passphrases, etc.
For organizations who do not use advanced hardware for key management on-premises but want to ensure their cloud providers do not own and cannot be compelled to turn over keys to decrypt their data, software-based key management is suitable.
- Run the organization’s key management application in the cloud.
- Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider
- Can perform all core functions of an HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud
- Need to handle failover and replication yourself
- Not compliant with regulatory requirements that specify FIPS-certified hardware
- The approach is only suitable for IaaS, as there is a need to install and configure your servers to perform key management