Click-and-Deploy Data Security
Conveniently deploy best-in-class encryption and key management services from the cloud — making security simpler, more cost effective, and easier to manage.
Learn More
As a convenience to their customers, Cloud Service Providers (CSPs) increasingly offer their vendor-specific encryption and key management services. As a necessity for our customers, we offer vendor-independent encryption and key management services. We collaborate and innovate with CSPs and our customers to increase efficiency and operational resiliency across vendors in the cloud and on premises.
We develop products for you, always focused on the fact that as Cloud consumers, you are responsible for the security of your data stored and used in vendor clouds. CipherTrust Cloud Key Management (CCKM) protects your time as well as your data with a single pane of glass view across regions for cloud native, BYOK and HYOK keys and one straightforward UI to manage all cloud Key Management Services.
Co-innovating with Cloud Providers
Use the power and agility of the AWS cloud but keep control of the keys for data sovereignty and legal reasons. Sever the link when needed.
You, as the customer, retain control over your data. In EKM, look at the endpoint and enable or disable the key. You are the ultimate arbiter of who has access to your data.
Take Control of Your Valuable Data Across Clouds
Separation of Duty:
Enforce separation of duty between your data and your cloud service provider (CSP) by securely storing encryption keys outside of the corresponding cloud.
Mitigate Risks:
Apply risk-appropriate key management controls and workload protection based on sensitivity of the data and compliance mandates.
Maximize Choice
Across Clouds:
Any combination of public clouds and private or on-prem data infrastructure.
Across Key Sources:
CipherTrust Manager (CM), Luna Network HSM, DSM, Native
Across Key Management Ownership Models:
BYOK, HYOK, Native
Increase Efficiency and Operational Resilience
Automate key lifecycle management across clouds and hybrid environments with processes and tools.
Processes include:
Key lifecycle management, Data protection
Tools include:
- Single user interface across clouds
- Common set of APIs across clouds
- Single pane of glass view into where your keys are stored
Supported public clouds and key management ownership models:
| Amazon Web Services (AWS) KMS | Native | BYOK | |
| AWS CloudHSM | Native | ||
| AWS XKS | HYOK | ||
| AWS China | Native | BYOK | |
| AWS GovCloud | Native | BYOK | HYOK |
| Google Cloud Platform CMEK | Native | BYOK | |
| Google Cloud Platform EKM | HYOK | ||
| Google Cloud Platform EKM UDE | HYOK-CC* | ||
| Google Workspace CSE | HYOK | ||
| Microsoft Azure Cloud | Native | BYOK | |
| Microsoft Azure China | Native | BYOK | |
| Microsoft Azure GovCloud | Native | BYOK | |
| Microsoft Azure Managed HSMs | Native | BYOK | |
| Microsoft 365 | BYOK | HYOK | |
| Oracle Cloud Infrastructure | Native | BYOK | HYOK |
| Salesforce.com | Native | BYOK | HYOK** |
| Salesforce GovCloud Plus | Native | BYOK | HYOK** |
| Salesforce Sandbox | Native | BYOK | HYOK** |
| SAP Data Custodian | Native | BYOK |
*HYOK-CC is HYOK for Confidential Computing
**Cache-only Key Service
Simplify Compliance
Digital Sovereignty has three pillars that give you control over your own digital destiny — your data, and the hardware and software you rely on.
Data Sovereignty: You maintain control over encryption and access to your data and comply with the data sovereignty laws by country. Easily demonstrate compliance with privacy regulations such as GDPR, SCHREMS II and PCI-DSS
Operational Sovereignty: Visibility and control over providers’ operations
Software Sovereignty: Run workloads without dependence on a provider’s software
Curious? Talk to a specialist about CipherTrust Cloud Key Management
Cipher Trust Cloud Key Management Frequently Asked Questions
What is cloud key management?
Encryption keys need to be managed whether the data is on premises or in a cloud. “Cloud keys” are encryption keys that enable organizations to secure data at rest with encryption across their cloud workloads without compromise to business functionality. Thales CipherTrust Cloud Key Manager (CCKM) adds controls that simplify and streamline the Cloud Administrator’s job so that organizations can efficiently meet compliance and best-practice requirements by generating, storing, managing and maintaining data encryption keys within a secure environment.
How does cloud key management affect me?
If your job is to administer cloud keys, and your network includes multiple clouds, you are responsible for learning the User Interface and vocabulary for each cloud and managing the different key management systems. You may also be responsible for pulling together a report that lists the expiration date of all the different Cloud Service Provider (CSP) Key Management Service (KMS) keys, being notified X days before the expiration event and rotating the keys before they expire.
If you use Cloud Native keys, you will need to learn and maintain knowledge of each corresponding KMS system. If you choose a centralized cloud key manager, such as CipherTrust Cloud Key Manager (CCKM), you only need to learn one straightforward User Interface (UI) that manages native, BYOK and HYOK keys with a single pane of glass view across regions.
If your job is to staff the cloud administrator role, and your network includes multiple clouds, you have the option of using a centralized cloud key manager and avoiding the need to hire specialists for each of the CSP KMS keys.
What is Key Management in cloud computing?
Cloud providers try to help customers secure their data, so they sometimes encrypt it, which requires encryption keys. Key management is the general idea of generating keys for encryption and keeping them safe. Key Management as a Service (KMaaS) allows companies to manage encryption keys more effectively through a cloud-based solution instead of running the service on physical, on-premises hardware. Some cloud providers enable customers to use their own keys, either using BYOK or HYOK.
What is Google Cloud Platform EKM or CMEK?
Google Cloud platform offers both BYOK, with customer-managed encryption keys, or CMEK, and HYOK, with external Key Management [Services] or EKM.
How does cloud KMS work?
Each cloud service provider (e.g., AWS, Azure, GCP) has their own key management service (KMS) as a convenience for their customers. A cloud service provider’s encryption and key management services are cloud-specific and require the cloud administrator to learn the vocabulary and quirks of each cloud vendor they are using.
A cloud vendor derives data encryption keys internally, from key material the KMS originated, or the cloud vendor can derive the key material from an external source -- BYOK or HYOK keys.
To achieve separation of duty, data sovereignty laws and regulatory requirements require the use of BYOK or HYOK keys in certain circumstances.
Using an external KMS enables you to choose a cloud-independent service that can increase efficiency for your cloud native keys. Using the right external KMS can also increase operational resiliency across vendors in the cloud and on premises, and provide BYOK and HYOK keys so that you remain in compliance with data sovereignty laws and regulatory requirements.
Recommended Resources
Gartner® Report: How to Improve Data Security With Cloud Key Management
This Gartner research assesses the current cloud key management options to help organizations make decisions that support data security, compliance, privacy strategy, and operational benefits.
CipherTrust Cloud Key Management
CipherTrust Cloud Key Management (CCKM) respects your choice to use native keys, while providing the opportunity to expand your key ownership models to include BYOK and HYOK. CCKM centralizes key management for Native, BYOK and HYOK cloud keys from a single browser window, across multiple clouds, regions, accounts, subscriptions, projects, applications, org ids and more.
Kuppingercole Leadership Compass Data Security Platforms 2025
Thales is named as the Overall Leader in the 2025 KuppingerCole Leadership Compass on Data Security Platforms report, receiving the highest ratings across product capabilities, innovation, and market presence.
CipherTrust Cloud Key Management for SAP Applications
As enterprise data and workloads continue to migrate to the cloud, the need to keep sensitive data secure continues to grow. In a recent IDC Data Threat Report study, 50% of all corporate data is stored in the cloud of which 48% of that data is considered sensitive.
CipherTrust Cloud Key Management Solutions for Amazon Web Services
Cloud Key Management solutions for AWS can accelerate the ability of organizations to safely migrate sensitive data between AWS and on-premises infrastructures.
Thales Security Solutions for Google Workspace
Cloud providers and enterprises are looking for stronger cloud security and compliance. Google Workspace now provides enhanced privacy and confidentiality options with Client-side encryption – a solution that enables enterprise customers to have full control over their encryption keys using the combination of SafeNet Trusted Access and CipherTrust Cloud Key Management.
CipherTrust Data Security Platform Key Management Solutions for Google
Thales collaborates with Google to accelerate safe migration of sensitive data between public cloud, hybrid and private IT infrastructures.
CipherTrust Cloud Key Management for SAP Applications in Google Cloud Platform
By adding CipherTrust Cloud Key Management, highly-regulated customers can externally root their encryption keys in a purpose-built hardware appliance, or generate their own encryption keys to be used by their SAP applications.
CipherTrust Cloud Key Management for SAP Applications in Microsoft Azure
With a significant footprint across the large enterprise community, SAP figures meaningfully in Azure migration discussions – both for the volume of customers that trust SAP applications and for the type of sensitive data they use.