BYOK/CMK Encryption
Compliance: SOC 2, PCI-DSS, HIPAA, FedRAMP | Setup Time: 30 minutes
Bring Your Own Key (BYOK) encryption gives enterprise customers complete control over their encryption keys. Your Customer Managed Key (CMK) lives in your AWS account, giving you full sovereignty over your data.
Why BYOK?
| Requirement | Without BYOK | With BYOK |
|---|---|---|
| Data Sovereignty | ASCEND manages keys | You control keys in your AWS account |
| Revocation | Request ASCEND to delete | Revoke access instantly by disabling CMK |
| Audit Trail | ASCEND CloudTrail | Your CloudTrail with full key usage |
| Compliance | Standard encryption | FedRAMP, HIPAA, PCI-DSS Ready |
| Key Rotation | ASCEND managed | Your rotation schedule |
How It Works
┌─────────────────────────────────────────────────────────────────────────┐
│ YOUR AWS ACCOUNT │
│ │
│ ┌────────────────────┐ │
│ │ AWS KMS │ │
│ │ ┌────────────┐ │ │
│ │ │ Your CMK │ │◀── You create and control this │
│ │ └─────┬──────┘ │ │
│ └─────────┼──────────┘ │
│ │ │
│ │ kms:Encrypt / kms:Decrypt │
│ │ (Cross-account access) │
│ ▼ │
└────────────┼─────────────────────────────────────────────────────────────┘
│
┌────────────┼─────────────────────────────────────────────────────────────┐
│ │ ASCEND PLATFORM │
│ ▼ │
│ ┌────────────────────┐ ┌────────────────────┐ │
│ │ Envelope │ │ Your Encrypted │ │
│ │ Encryption │─────▶│ Data (DEK) │ │
│ │ (DEK wrapped │ │ │ │
│ │ by your CMK) │ │ Only decryptable │ │
│ └────────────────────┘ │ with your CMK │ │
│ └────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────┘
Envelope Encryption
- Data Encryption Key (DEK) — Generated by ASCEND for each encryption operation
- Your CMK wraps the DEK — DEK is encrypted with your key before storage
- Decryption requires your CMK — Without your key, data is unreadable
FAIL SECURE Design
Critical Security Design
BYOK is designed to FAIL SECURE. This protects your data but means:
- If your CMK becomes inaccessible → Data operations are blocked
- If you revoke ASCEND's access → Data becomes unreadable
- If you delete your CMK → Data is permanently lost
| Scenario | Result | Recovery |
|---|---|---|
| CMK temporarily unavailable | Operations blocked | Restore CMK access |
| CMK access revoked | Data unreadable | Re-grant access |
| CMK deleted | Data permanently lost | No recovery possible |
| CMK key material deleted | Data permanently lost | No recovery possible |
Prerequisites
Before enabling BYOK, ensure you have:
- AWS Account with KMS permissions
- IAM user/role that can create KMS keys
- ASCEND Enterprise subscription
- Admin access to your ASCEND organization
Quick Start
Step 1: Create Your CMK in AWS
aws kms create-key \
--description "ASCEND BYOK encryption key" \
--key-usage ENCRYPT_DECRYPT \
--origin AWS_KMS
Step 2: Grant ASCEND Cross-Account Access
Add this key policy to allow ASCEND to use your key:
{
"Sid": "Allow ASCEND to use key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/ascend-byok-service"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
Step 3: Register Your Key with ASCEND
curl -X POST https://pilot.owkai.app/api/v1/byok/keys \
-H "Authorization: Bearer $ASCEND_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"key_arn": "arn:aws:kms:us-east-1:YOUR_ACCOUNT:key/YOUR_KEY_ID",
"key_alias": "ascend-encryption-key"
}'
Step 4: Acknowledge Legal Waiver
Before BYOK is activated, you must acknowledge the legal waiver:
curl -X POST https://pilot.owkai.app/api/v1/byok/legal-waiver \
-H "Authorization: Bearer $ASCEND_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"acknowledged": true,
"acknowledged_by": "security-admin@company.com"
}'
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/v1/byok/keys | POST | Register your CMK |
/api/v1/byok/keys | GET | Get current key status |
/api/v1/byok/keys | DELETE | Revoke/remove registered key |
/api/v1/byok/keys/rotate | POST | Trigger DEK rotation |
/api/v1/byok/health | GET | Check key health status |
/api/v1/byok/audit | GET | View BYOK audit log |
/api/v1/byok/legal-waiver | GET | Get legal waiver text |
/api/v1/byok/legal-waiver | POST | Acknowledge waiver |
/api/v1/byok/legal-waiver/status | GET | Check waiver status |
Compliance
BYOK encryption meets requirements for:
| Standard | Requirement | BYOK Compliance |
|---|---|---|
| SOC 2 | CC6.1 Encryption of sensitive data | ✅ Customer-controlled keys |
| PCI-DSS | 3.5.1 Key management procedures | ✅ Customer KMS with audit |
| HIPAA | 164.312(a)(2)(iv) Encryption | ✅ AES-256 with CMK |
| FedRAMP | AC-3 Access enforcement | ✅ Cross-account IAM |
| GDPR | Art. 32 Security of processing | ✅ Data sovereignty |
Key Rotation
ASCEND supports both automatic and manual key rotation:
Automatic DEK Rotation
curl -X POST https://pilot.owkai.app/api/v1/byok/keys/rotate \
-H "Authorization: Bearer $ASCEND_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"rotation_type": "dek",
"reason": "Scheduled quarterly rotation"
}'
CMK Rotation (Your Responsibility)
Enable automatic rotation in AWS KMS:
aws kms enable-key-rotation --key-id YOUR_KEY_ID
Monitoring
Health Check
curl https://pilot.owkai.app/api/v1/byok/health \
-H "Authorization: Bearer $ASCEND_TOKEN"
Response:
{
"status": "healthy",
"key_status": "active",
"last_encryption": "2025-12-16T10:30:00Z",
"last_decryption": "2025-12-16T10:29:55Z",
"cmk_accessible": true
}
Audit Log
curl "https://pilot.owkai.app/api/v1/byok/audit?limit=100" \
-H "Authorization: Bearer $ASCEND_TOKEN"
Next Steps
- Setup Guide — Detailed step-by-step instructions
- API Reference — Complete API documentation
- Troubleshooting — Common issues and solutions
Support
For BYOK-related issues:
- Email: security@owkai.app
- Enterprise Support: Contact your account representative
- Emergency: Use your enterprise support hotline