Skip to main content
HomeBlogControlling the Encryption Keys

What you need to know about multi-cloud key management

Best Practices in Encryption Key Management

As enterprises move greater volumes of their computing workloads to public clouds, the issue of encryption key management is increasing in importance. The vital question isn’t just “is my data on the cloud encrypted?” It is “is my data on the cloud encrypted AND do I control the encryption keys?”

Other top questions around cloud key management:

  • How do I centralize and simplify key management functions across multiple clouds?
  • How do I retain control over my data and encryption keys?
  • What questions should I ask of my cloud provider?
  • What are best practices for multi-cloud ecosystems?
  • What are prerequisites for bring your own key (BYOK)?

Together with Encryption Consulting, we answer these questions in the webinar, What You Need to Know About Multi-Cloud Key Management. Listen to the on-demand recording now.

Public cloud vendors — including AWS, Google Cloud Platform, and Microsoft Azure — have their own solutions for encryption key management. While this establishes a high degree of security, organizations lose control over the keys.

Enter BYOK. The industry is trending toward giving customers more control over their cryptographic keys. All of the major cloud vendors now have support for Bring Your Own Key (BYOK), so that organizations can maintain control over the keys used for their data and applications, giving them greater data portability and flexibility. The ability to shift from one cloud provider to another — including multiple cloud providers at once — gives organizations options. Especially when it comes to managing workloads, handling spikes and surges, and providing disaster recovery — not to mention satisfying audit requirements involving backup or redundancy capabilities.

BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.

How it works: keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.

While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques.

In the webinar, What You Need to Know About Multi-Cloud Key Management, get a drilldown on BYOK, learn about key rotation best practices, and how to manage the cryptographic key lifecycle. Listen now.

Want to learn more?

Contact a Solutions Architect today.

Give us a call


For over 40 years, Futurex has been a trusted provider of hardened, enterprise-class data security solutions. More than 15,000 organizations worldwide have used Futurex’s innovative hardware security modules, key management servers, and cloud HSM solutions to address mission-critical data encryption and key management needs.

Securing the world's most sensitive data.
Request Demo ▸