Skip to main content

Bring Your Own Key with Laurel Overview

Thomas Zhang avatar
Written by Thomas Zhang
Updated over a month ago

BYOK Summary:

Laurel: Using Your Own Encryption Keys (BYOK/CMK with AWS KMS)

Bring Your Own Key (BYOK) or Customer-Managed Key (CMK), allows you to manage the encryption keys used to protect your data within Laurel. This approach augments our existing AES-256 encryption at rest with an additional layer of client-controlled encryption, providing greater control and assurance over data confidentiality.

Why Use BYOK/CMK?

  • Enhanced Control: You have full control over your encryption keys, including their lifecycle, permissions, and rotation policies.

  • Compliance: BYOK/CMK can help you meet specific regulatory or internal compliance requirements regarding key management.

  • Centralized Key Management: You manage your keys within AWS KMS, a centralized and secure service.

  • Auditability: All key usage is logged by AWS CloudTrail, providing a detailed audit trail.

Data Encrypted

The following data categories will be encrypted under the proposed BYOK model:

  1. Document Bodies: All documents stored on the platform (we store up to the first 5000 characters).

  2. Email Bodies: All email bodies stored on the platform (we store up to the first 5000 characters).

Other data used within Laurel will not be encrypted under the BYOK model but will continue to be encrypted using Laurel-managed keys.

Encryption Details

The BYOK implementation will use the industry-standard AES-256 encryption algorithm, maintaining consistency with our existing security measures. Client data will be encrypted using a unique, client-managed Customer Master Key (CMK) in AWS KMS. To optimize performance and reduce the number of calls to AWS KMS, we will temporarily cache the customer's CMK in memory for up to one hour. Here’s a high level overview of the process:

Important Considerations

This BYOK model offers enhanced security and control, but it also comes with important responsibilities and potential risks that customers must understand:

  • Our platform relies on the availability and proper configuration of the customer's CMK to encrypt/decrypt data.

Irreversible Data Loss: If a customer deletes their CMK, any data encrypted under that key will become permanently inaccessible and unrecoverable. There is no way for us or AWS to retrieve the data, nor can any new data be stored.

Follow this guide to integrate.

Related Articles
ADFS (SSO) Configuration for Laurel
Laurel Technical Implementation FAQs
Cisco Unified Call Manager (On-Premise) Configuration for Laurel
Laurel’s Expertise in Implementing with Leading Accounting Systems
Bring Your Own Key with Laurel Integration Guide
Did this answer your question?