Customer-Controlled Key Management
Overview
Some customers have requirements that go beyond Ubiq-managed key infrastructure. These requirements may involve key ownership, key custody, key lifecycle control, hardware-backed key protection, regulatory obligations, internal security standards, or long-term recovery planning.
For these use cases, Ubiq supports customer-controlled key-management options, including:
- Customer Managed Key / BYOK
- Bring Your Own HSM / BYOHSM
These options allow customers to maintain greater control over the cryptographic materials or key-management infrastructure used with Ubiq-protected workflows.
Ubiq libraries and integrations continue to protect and unprotect sensitive data within approved workflows, while the customer-controlled key-management model defines how key material is provided, controlled, governed, or backed by customer-managed infrastructure.
Summary
| Requirement | Ubiq Option |
|---|---|
| Customer wants to provide and manage key material | Customer Managed Key / BYOK |
| Customer wants greater control over key ownership and lifecycle | Customer Managed Key / BYOK |
| Customer requires hardware-backed key protection | Bring Your Own HSM / BYOHSM |
| Customer has strict key custody requirements | Bring Your Own HSM / BYOHSM |
| Customer has regulatory or internal key-management requirements | Customer Managed Key / BYOK or BYOHSM |
| Customer wants stronger long-term recovery or continuity planning | Customer Managed Key / BYOK or BYOHSM |
Customer Managed Key / BYOK
Customer Managed Key, also commonly referred to as BYOK, or Bring Your Own Key, is a key-management option where the customer provides and manages key material according to its internal key-management requirements.
In this model, the customer maintains control over key ownership and key lifecycle decisions, while Ubiq libraries and integrations use the customer-provided key material as part of approved protect and unprotect workflows.
This option is typically used by customers with requirements around:
- Key ownership
- Internal key-management standards
- Regulatory or compliance obligations
- Key rotation and lifecycle control
- Long-term data recovery and continuity planning
- Reduced dependency on Ubiq-managed key infrastructure
Customer Managed Key / BYOK can help customers maintain greater control over the cryptographic materials used to protect their data while still using Ubiq to enforce protection and access behavior across approved workflows.
Implementation details may vary based on the customer's key-management requirements, operational model, and the Ubiq library or integration pattern being deployed.
Bring Your Own HSM / BYOHSM
Bring Your Own HSM / BYOHSM is a deployment option where customer-controlled HSM infrastructure is used as part of the key-management model.
An HSM, or Hardware Security Module, is a dedicated hardware-based security system used to protect cryptographic keys and perform sensitive cryptographic operations. In a BYOHSM configuration, the customer maintains control over the HSM environment and the policies that govern key custody, access, and lifecycle management.
This option is typically used by customers with stricter requirements around:
- Key custody
- Hardware-backed key protection
- Regulatory or compliance obligations
- Separation of duties
- Internal key-management standards
- Long-term data recovery and continuity planning
BYOHSM can help customers maintain greater control over the key-management layer while still using Ubiq libraries and integrations to protect and unprotect sensitive data within approved workflows.
BYOHSM is available at additional cost and should be scoped during technical design. Implementation details may vary based on the customer's HSM platform, network architecture, operational requirements, and the Ubiq integration pattern being deployed.
CMK / BYOK vs. BYOHSM
Customer Managed Key / BYOK and BYOHSM both provide additional customer control, but they are intended for different levels of key-management requirement.
| Option | Typical Use |
|---|---|
| Customer Managed Key / BYOK | Customer wants to provide and manage key material according to internal requirements |
| BYOHSM | Customer requires HSM-backed key custody, cryptographic operations, or hardware-based key protection |
Customer Managed Key / BYOK is generally appropriate when the customer’s main requirement is control over key ownership, key material, and key lifecycle.
BYOHSM is generally appropriate when the customer requires a customer-controlled HSM environment as part of the key-management model.
Key Ownership and Key Lifecycle
Customer-controlled key-management options can help customers align Ubiq-protected workflows with internal key lifecycle requirements.
These requirements may include:
- Key generation
- Key import or provisioning
- Key rotation
- Key access approval
- Key custody
- Key backup and recovery
- Key retirement
- Key destruction
- Audit and governance procedures
The exact model depends on the customer’s requirements and the Ubiq integration pattern being deployed.
Operational Considerations
Customer-controlled key-management options should be planned during technical design.
Customers should consider:
- Which workflows require customer-controlled keys
- Which datasets or data domains are in scope
- Which key-management model is required
- Who owns key lifecycle decisions
- Who can approve key access or changes
- How key rotation is handled
- How production access is governed
- How continuity and recovery requirements are documented
- Whether BYOHSM is required or Customer Managed Key / BYOK is sufficient
For BYOHSM deployments, customers should also consider:
- HSM platform
- Network architecture
- Availability requirements
- Latency requirements
- Operational ownership
- Support model
- Deployment timeline
- Testing and validation process
Relationship to Service Continuity and Data Recovery
Customer-controlled key-management options may support broader continuity and recovery requirements, but they do not replace runtime caching or bulk decrypt/export planning.
For temporary connectivity interruptions, Ubiq caching helps approved workflows continue operating when valid cached material is available.
For recovery, migration, or offboarding, customers can retrieve protected data from their own systems and use the appropriate Ubiq library or integration to decrypt or unprotect the data with authorized credentials.
Customer Managed Key / BYOK and BYOHSM provide additional control over key material or key-management infrastructure for customers with stricter key-control, continuity, regulatory, or recovery requirements.
Recommended Practices
For customer-controlled key-management deployments, Ubiq recommends:
- Identify which workflows require customer-controlled key management.
- Confirm whether Customer Managed Key / BYOK or BYOHSM is the appropriate model.
- Define key ownership, custody, lifecycle, and rotation requirements.
- Confirm which datasets, applications, databases, integrations, or workflows are in scope.
- Document operational responsibilities between the customer and Ubiq.
- Validate the key-management model before production deployment.
- Consider runtime caching and data recovery planning separately from key-management architecture.
Key Takeaways
Customer Managed Key / BYOK allows customers to provide and manage key material according to internal key-management requirements.
Bring Your Own HSM / BYOHSM allows customers to use customer-controlled HSM infrastructure as part of the key-management model.
These options help customers maintain greater control over key ownership, key custody, key lifecycle, and long-term recovery planning.
Customer-controlled key management should be scoped during technical design and aligned to the customer’s security, regulatory, operational, and recovery requirements.
Updated 1 day ago