Thales banner

Cloud Key Management

Encryption key lifecycle management for BYOK, HYOK and cloud native keys

Get in Touch

Streamline Cloud Key Management Services Across Multiple Clouds

Centralized Multicloud Key Management

The CipherTrust Cloud Key Manager for Multi-cloud Environments

Download the White Paper

For virtually every organization today, the adoption of multiple cloud services continues to expand. A growing number of organizations are aware of the Shared Responsibility Model for cloud security, with its definitive statement that across all cloud consumption models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), cloud consumers are responsible for the security of their data stored and used in the cloud. In every yearly edition of the Thales Data Threat Report, organizations say that encryption is the right way to protect data in the cloud.

Cloud Providers increasingly offer their own encryption services as a convenience to their customers. Meanwhile, the imperative for customer management of cloud provider encryption keys is growing as fast as cloud consumption. A growing number of cloud providers offer “Bring Your Own Key” (BYOK) services and Hold Your Own Key (HYOK). BYOK and HYOK enable customer-controlled cloud key management.

CipherTrust Cloud Key Manager from Thales combines support for cloud provider BYOK APIs with corresponding services supporting HYOK, cloud key management automation, and key usage logging and reporting, to provide cloud consumers with a cloud key management services that delivers strong controls over encryption key life cycles for data encrypted by cloud services.

CipherTrust Cloud Key Manager Diagram

CipherTrust Cloud Key Manager supports a growing list of IaaS, PaaS and SaaS providers. SaaS solutions include Microsoft Office365, and Salesforce Sandbox. as well as the SAP Data Custodian. Supported IaaS/PaaS solutions include Microsoft Azure, Microsoft Azure China National Cloud, Microsoft Azure Stack, IBM Cloud, Google Cloud Platform, and Amazon Web Services.

How are you navigating today's business data security changes?

2022 Thales Data Threat Report

2022 Thales Data Threat Report

Download the full global report and read about data security trends and changes in an era of hybrid work, ransomware and cloud transformation.

Get the Report

CipherTrust Cloud Key Manager Introduction Video

Curious? Talk to a specialist about CipherTrust Cloud Key Manager

SAP Partner

Explore our key management solutions
for SAP applications

Learn More
  • Cipher Trust Cloud Key Manager Benefits
  • Cipher Trust Cloud Key Manager Features

Enjoy Enhanced IT Efficiency

CipherTrust Cloud Key Manager centralizes encryption key management from multiple environments, presenting all supported clouds and even multiple cloud accounts in a single browser tab. Advanced cloud key management services and capabilities include automated key rotation, key expiration handling, and cloud key vault synchronization, together, dramatically reducing the time required for cloud key life cycle management. CipherTrust Cloud Key Manager goes well beyond support for BYOK and HYOK with full key lifecycle management of native cloud keys as well as keys generated by its key sources.

Gain Strong Key Control and Security

Bring and Hold Your Own Key (BYOK and HYOK) services enable customers to separate key management from provider-controlled encryption, offering a crucial layer of separation of duties and control. CipherTrust Cloud Key Manager delivers key generation, separation of duties, reporting, and key lifecycle management that help fulfill internal and industry data protection mandates, with optional FIPS 140-2-certified secure key sources.

Fulfill Best Practices

Separating encryption key control from data encryption and decryption operations delivers compliance, best security practices and control of your data. Gain operational insights on encryption key usage with dashboards, reports and logs provided by CipherTrust Cloud Key Manager.

Meet Organizational Needs with Flexible Deployment Options

CipherTrust Cloud Key Manager is available in multiple form factors to meet any organization’s needs. Both CipherTrust Cloud Key Manager and its key sources are available in all-software, cloud-friendly offerings and may be found in several cloud provider marketplaces for fast instantiation. Further, deployment and operation in any cloud prevent cloud provider access, and, keys can be managed in the cloud in which the solution is deployed as well as any other reachable, supported cloud.

Integrates With Your Automation Initiatives

In addition to its internal automation features which themselves provide crucial IT efficiency gains, operations for both CipherTrust Cloud Key Manager and its key sources may be fully implemented through RESTful API’s.

Comprehensive Key Management

BYOK: Deploy CipherTrust Cloud Key Manager with any number of keys already created at the cloud provider. Create cloud-native keys in the cloud console as needed. CipherTrust Cloud Key Manager will automatically synchronize, at intervals you can define, its key database with the provider’s. Key attributes such as expiration rules and usage options are all maintained. You can request creation of cloud-native keys, as well as upload BYOK-keys, from the CipherTrust Cloud Key Manager console. If cloud provider rotation rules for native keys are insufficient, you can rotate keys under the control of CipherTrust Cloud Key Manager.

HYOK: CipherTrust Cloud Key Manager supports many emerging HYOK offerings: Salesforce Cached Keys, Google Cloud External Key Management (EKM) and Google Workspace Client-side Encryption.  HYOK is provided by services that respond to encryption key requests from cloud providers.

CipherTrust Cloud Key Manager goes well beyond Cloud Bring Your Own Key: It is a comprehensive cloud key life cycle manager.

Key Life Cycle Automation

With the click of a button or an API request, keys are marked for automated key rotation. From then on, CipherTrust Cloud Key Manager performs key rotation automatically with comprehensive logging for IT efficiency and enhanced data security. Key rotation may be specified for keys without expiration dates, or specifically for keys to be rotated prior to their expiration dates. Multiple schedules per cloud are available.

Key Rotation is use-case-dependent.  Consult your cloud provider for information on whether you preferred data stores support key rotation.

Strong Encryption Key Security

BYOK and HYOK require secure key generation and storage.  CipherTrust Cloud Key Manager leverages the security of CipherTrust Manager, Thales Luna Network HSM or the Vormetric Data Security Manager to create keys. Secure storage is provided for clouds that deliver backup keys which can mitigate accidental key deletion in cloud consoles. You control full key metadata control during upload and for keys in use.

True Multi-Cloud Support

CipherTrust Cloud Key Manager supports:

  • Amazon Web Services (AWS)
  • AWS GovCloud
  • AWW China
  • Microsoft Azure
  • Azure Stack
  • Azure GovCloud
  • Azure China sovereign cloud
  • Google Cloud Platform
  • Google Workspace Client-side encryption
  • Salesforce Sandbox
  • SAP Data Custodian
  • IBM Cloud (Key Protect)
  • IBM Cloud (HPCS)

The Compliance Tools You Need

CipherTrust Cloud Key Manager has the full range of logs and reports you need for fast compliance reporting, including per-cloud operational logs and a range of pre-packaged key activity reports.

Support for Emerging Technologies

CipherTrust Cloud Key Manager supports many fast-emerging technologies. Here are some examples:

Related Resources

CipherTrust Data Security Platform Key Management Solutions for Google - Solution Brief

CipherTrust Data Security Platform Key Management Solutions for Google - Solution Brief

Thales collaborates with Google to accelerate safe migration of sensitive data between public cloud, hybrid and private IT infrastructures. To enable encryption of data-at-rest and manage keys outside of Google’s infrastructure, Google provides: Cloud Customer-Managed...

CipherTrust Cloud Key Manager - Product Brief

CipherTrust Cloud Key Manager - Product Brief

CipherTrust Cloud Key Manager (CCKM) reduces key management complexity and operational costs by giving customers lifecycle control of cloud encryption keys with centralized management and visibility. Gain access to each cloud provider from a single pane of glass, across...

CipherTrust Cloud Key Manager Demonstration - Video

CipherTrust Cloud Key Manager Demonstration - Video

Watch this demonstration of CipherTrust Cloud Key Manager in action!

CipherTrust Cloud Key Manager Introduction - Video

CipherTrust Cloud Key Manager Introduction - Video

In two minutes, learn of your responsibility to protect data in the cloud, the challenges of multicloud key management, and how CipherTrust Cloud Key Manager can help you! 

Watch this video to understand the purpose and get an overview of CipherTrust Cloud Key Manager!

Thales Security Solutions for Google Workspace - Solution Brief

Thales Security Solutions for Google Workspace - Solution Brief

Thales supports client-side encryption for: Google Drive, Gmail, Google Calendar and calls over Google Meet. Google recommends that Google Workspace customers use an external key manager (EKM) and Identity Provider (IDP) to support the industry-standard shared responsibility...

Cipher Trust Cloud Key Manager Frequently Asked Questions

What is Key Management in cloud computing?

Cloud providers try to help customers secure their data, so they sometimes encrypt it, which requires encryption keys.  Key management is the general idea of generating keys for encryption and keeping them safe.  Some cloud providers enable customers to use their own keys, either using BYOK or HYOK.

What is Google Cloud Platform EKM or CMEK?

Google Cloud platform offers both BYOK, with customer-managed encryption keys, or CMEK, and HYOK, with external Key Management [Services] or EKM.

How does cloud KMS work?

Cloud Key Management services either originate keys or accept BYOK or HYOK.   These keys are usually master keys.   Data encryption keys are derived in some from master keys. and are used to encrypt data.