Cloud encryption key management

How can Swiss organisations protect their data outside their premises?

With data breaches featuring in the news on an almost weekly basis, a challenge for Swiss organisations is to decide how to protect their data in the cloud, by combining organisational, legal and technical measures to holistically mitigate the risks of unlawful and lawful data access. This should include - but is not limited to – defining a data encryption strategy. Overwhelmed by the number of encryption options available in the cloud, IT leaders may wonder what these options entail, what are their tradeoffs and in which situation they should be used. Here we explain what they are and how they differ.

While data protection is a broad topic involving a complex variety of stakeholders, processes and technologies, this article focuses on data encryption methods. A strategy for data protection should consider two types of data access: unlawful and lawful.


Swiss companies should choose their Cloud Encryption Key Management Strategy wisely.  We suggest that organisations categorise data into classes, and choose the Cloud Encryption Key Management Strategy for a given data-class, based on the degree of protection this class deserves. This judgement incorporates an organisation’s data governance on one side, and regulatory and legal requirements on the other side. With the increased level of data protection, an increased effort for managing and operating the system is also implied.

  • Unlawful access: This typically occurs when a hacker or malicious software gains access to your data by exploiting a vulnerability in an IT system.

  • Lawful access: A process in which an external party gets access to your data via an official request, leveraging laws such as the United States Clarifying Lawful Overseas Use of Data Act, known as the US CLOUD Act1. With lawful access, your data may be provided to a foreign or local government in a lawful manner, even though for data protection reasons your organisation may object.

    While the risk of unlawful access can be mitigated using different technical measures, lawful access to data in the cloud is a more complex matter, since cloud service providers (CSPs) may be obliged to cooperate with the data requester.

    There are four different methods of data encryption and they differ in the extent of data protection they provide against lawful access.

Overview of encryption key management strategies in the cloud

There are four main approaches to encryption key management in the cloud. Fundamentally, there is a trade-off to be made between keeping control over your keys and benefitting from a fully managed cloud service. Cloud customers wishing to retain more control will need to invest more effort to manage the additional complexity.

1. Encryption Keys managed by the Cloud Service Provider (CSP Managed Keys)


The CSP generates, holds and manages the encryption keys. All aspects of the encryption key lifecycle are managed by the CSP and the encryption services is fully embedded into the cloud services of the given CSP. As an example: In an object storage service like AWS S3, Azure Blob Storage or GCP Cloud Storage your data objects are encrypted upon upload and decrypted upon read-write without your conscious involvement.


  • Users benefit from a fully managed Encryption-as-a-Service solution, reducing human error risks
  • Best practices are implemented by vendor-mandated security experts
  • Simplification of IT operations
  • Faster time to market


  • CSP controls the entire key management process
  • Access to the data by the CSP is in accordance with its own policies and legal obligations

2. Customer-Managed Encryption Keys (CMEK)


With CMEK you use encryption key material generated and provided by the CSP, but take over the responsibility of managing the encryption keys within the Cloud platform yourself.


  • CMEK allows the customer to create keys, control key access and specify key management parameters
  • Trade-off between flexibility and a fully managed key service
  • Audit trail of key access


  • The customer manages its own encryption keys, opening up the possibility of human error
  • Encryption key management processes must be implemented and operated by the customer
  • Technically, the CSP still has access to encryption keys at some point in the process (however, all CSPs indicate that they do not retain key access)

3. Customer supplied encryption keys (CSEK) sometimes also called bring your own key (BYOK)


With CSEK the customer generates the encryption keys and provides them to the Cloud platform for encrypting and decrypting of the customers data. CSEK keys must be made available to each CSP service as and when they are needed. CSEK places full responsibility for key generation, ownership and management on the customer.


Clients can withdraw the key at any time; from that point of time, the CSP has no access to the data.


  • Complexification of IT operations
  • Increased risk of human error
  • Technically, the CSP still has access to encryption keys at some point in the process (however, all CSPs indicate that they do not retain key access).

4. Hold your own Key (HYOK)


The customer encrypts data on premises before sending it into the Cloud platform, which means that the customer not only takes ownership for the generation and management of encryption keys, but also of the encryption process itself. All data that is received by the CSP has already been encrypted by the customer.


  • HYOK provides the highest level of confidence that the CSP can't access the customer’s data, since the CSP never has access to the encryption key
  • The CSP may be unable to provide data to an authorised body in the event of a request for lawful data access


  • The CSP’s products and services may largely be incompatible with this encryption model. Therefore this key management method has very limited use cases. CSP products and services such as managed databases, analytics services and most other services requiring data access are not able to access the encrypted data and therefore cannot be used
  • HYOK is not directly supported by any of the major IaaS CSPs. It must be implemented fully by the customer, and the customer assumes all responsibility for key management
  • Significant complexification of IT architecture and operations
  • Increased risk of human error


A number of our Swiss customers consider that leveraging CMEK (i.e. using a CSP-provided key management service) is sufficient to protect their data from foreign authorities. Through experience, they have become confident that the CSP does not have a backdoor method to share these keys without the customer's knowledge and authorisation. We have heard from customers that two factors in particular add to their confidence:

  • CSPs have third party auditors who assess their environments and provide attestations for the CSP’s operations
  • CSPs are motivated to avoid the legal and reputational hazards associated with retaining access to more customer data than necessary

Cloud customers who feel that an additional layer of encryption key control is desirable bring or hold their own keys. However, these methods call for additional effort and some cloud services may not be supported. However, as enterprises are increasingly transitioning from being simply compliant to being truly secure, major cloud service providers are actively enhancing their encryption offerings that rely on client-managed keys. Each cloud customer should evaluate the comparable benefits and risks, and determine which key management model may best meet their requirements.

Did you find this useful?