Skip to main content
External key stores enable you to protect your AWS resources by using cryptographic keys outside of AWS. This advanced feature is designed for regulated workloads that you must protect with encryption keys stored in an external key management system that you control. External key stores support the AWS digital sovereignty pledge ( aws.amazon.com/blogs/security/aws-digital-sovereignty-pledge-control-without-compromise/) to give you sovereign control over your data in AWS, including the ability to encrypt with key material that you own and control outside of AWS.
For a detailed review of the XKS components and structure, see XKS architecture.

What is CryptoHub?

CryptoHub is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within our extensive solution suite. You can operate CryptoHub within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases. In the Amazon XKS integration, CryptoHub serves as the external key manager, backing the custom key store and providing users with precise control over their keys and the cryptographic operations performed with them.

How external key stores work

An external key store is a custom key store ( docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html#custom-key-store-overview) backed by an external key manager that you own and manage outside of AWS. Your external key manager can be:
  • Physical hardware security modules (HSMs)
  • Virtual hardware security modules
  • Any hardware-based or software-based system capable of generating and using cryptographic keys
Encryption and decryption operations that use a KMS key in an external key store are performed by your external key manager using your cryptographic key material, a feature known as Hold Your Own Key (HYOK).

Architecture and components

AWS KMS never interacts directly with your external key manager, and cannot create, view, manage, or delete your keys. Instead:
  1. AWS KMS interacts only with
external key store proxy (XKS proxy) software that you provide 2. Your external key store proxy mediates all communication between AWS KMS and your external key manager 3. The proxy transmits all requests from AWS KMS to your external key manager 4. The proxy translates generic requests from AWS KMS into a vendor-specific format for your external key manager For a detailed review of the XKS components and structure, see XKS architecture.

Use cases and service integration

You can use KMS keys in an external key store for:
  • Client-side encryption, including with the
AWS Encryption SDK
  • Server-side encryption, protecting your AWS resources in multiple AWS services with your cryptographic keys outside of AWS
AWS services that support customer-managed keys ( docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for symmetric encryption also support KMS keys in an external key store. For service support details, see AWS Service Integration ( aws.amazon.com/kms/features/#AWS_service_integration).

Control over the root of trust

External key stores let you control the root of trust. Keep the following concerns in mind:
  • Only the external key manager that you control can decrypt data encrypted under KMS keys in your external key store.
  • If you temporarily revoke access to your external key manager (by disconnecting the external key store or disconnecting your external key manager from the proxy), AWS loses all access to your cryptographic keys until you restore it.
  • During disconnection, nothing can decrypt ciphertext encrypted under your KMS keys.
  • If you permanently revoke access to your external key manager, all ciphertext encrypted under a KMS key in your external key store becomes unrecoverable.
The only exceptions are AWS services that briefly cache the data keys (docs.aws.amazon.com/kms/latest/developerguide/data-keys.html) protected by your KMS keys. These data keys continue to work until you deactivate the resource or the cache expires. For details about how unusable KMS keys affect data keys, see (docs.aws.amazon.com/kms/latest/developerguide/unusable-kms-keys.html).

Important considerations

External key stores unblock use cases for regulated workloads where encryption keys must remain solely under your control and inaccessible to AWS. However, the following considerations are relevant:
  • This represents a major change in the way you operate cloud-based infrastructure.
  • It creates a significant shift in the shared responsibility model.
  • For most workloads, the additional operational burden and greater risks to availability and performance exceed the perceived security benefits.

Learn more

Learn more about the basic terms and concepts used in external key stores ( docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#xks-concepts).