BYOK, AWS KMS

Bring your own AWS KMS key. Every server-stored managed vault ciphertext is wrapped with a per-record AES-256-GCM DEK that is encrypted under your CMK. Platform teams keep the root key in AWS and can revoke deny.sh access through IAM.

Loading…