BYOK — AWS KMS

Bring your own AWS KMS key. Every server-stored ciphertext (vault items + inheritance contracts) is wrapped with a per-record AES-256-GCM DEK that is encrypted under your CMK. We never see plaintext, and we cannot read your at-rest blobs without your IAM role.