Cloud Encryption Key Management

Definition

Cloud encryption key management is the practice of managing cryptographic keys across cloud providers, ensuring proper generation, storage, rotation, access control, and retirement of keys used to protect data at rest and in transit. It addresses the shared responsibility model where cloud providers manage encryption infrastructure but customers control key policies.

How It Works

Cloud providers offer tiered key management options. Default encryption uses provider-managed keys with no customer involvement. Customer-managed keys (CMK) in provider KMS services (AWS KMS, Azure Key Vault, GCP Cloud KMS) give customers control over key policies, rotation, and access while the provider manages HSM infrastructure. Customer-supplied keys (CSEK/BYOK) allow importing external key material into provider KMS. External key management (EKM/Hold Your Own Key) keeps keys entirely outside the cloud provider, with the provider calling out to customer-managed HSMs for each cryptographic operation. Key hierarchy patterns use master keys to protect data encryption keys (envelope encryption), limiting direct master key usage. Cross-cloud key management requires either provider-specific key configurations for each cloud or external key management solutions like Thales CipherTrust or Fortanix that provide a unified control plane. Automated rotation ensures keys are refreshed on schedule. Monitoring tracks key usage through provider audit logs to detect unauthorized access.

Why It Matters

Encryption is only as strong as key management. Provider-managed keys protect against physical theft of storage media but not against compromised cloud credentials. Customer-managed keys add a second authorization layer but increase operational complexity. Organizations must choose key management models that match their threat model, compliance requirements, and operational capability.