Managing Your Bring Your Own Key (BYOK) API Keys in Blanca's Builder

Bring Your Own Key (BYOK) is an advanced security option that allows you to provide and manage your own cryptographic keys for the encryption of sensitive data within Blanca's Builder. This means your data is encrypted using a key that you control, significantly enhancing your data's security posture and helping you meet compliance requirements. With BYOK, Blanca's Builder never directly accesses your master key; instead, it uses a key derived or wrapped by your master key for data encryption.

This approach ensures that even if Blanca's Builder's infrastructure were compromised, your data would remain encrypted and inaccessible without your specific key. Our system is designed to integrate seamlessly with various Key Management Services (KMS) providers, allowing you to retain full ownership and control over your keys' lifecycle, including their creation, storage, and deletion.

When you integrate your BYOK into Blanca's Builder, your original master key is never transmitted or stored on our servers. Instead, a 'key encryption key' (KEK) is generated by your chosen KMS and used to encrypt a 'data encryption key' (DEK) that Blanca's Builder uses for actual data encryption. This encrypted DEK is what Blanca's Builder stores, not your master key.

The encrypted DEK is stored in a highly secure, isolated environment within our cloud infrastructure, protected by multiple layers of security, including strict access controls, network segmentation, and regular security audits. Access to these encrypted keys is strictly limited to automated processes that require them for data operations, and all access attempts are logged and monitored for anomalies. Your master key remains securely within your BYOK provider, and Blanca's Builder only ever requests its use for decryption when necessary, always through secure, authenticated channels.

Key rotation is a critical security practice that involves periodically generating new cryptographic keys and retiring old ones. Blanca's Builder fully supports key rotation for your BYOK keys. You can initiate key rotation through your KMS provider, and our system will detect and utilize the new key for future data encryption operations. We recommend rotating your keys regularly, as per industry best practices (e.g., annually or semi-annually), to minimize the risk associated with a compromised key.

Key revocation allows you to instantly disable a key, rendering any data encrypted with it inaccessible. If you suspect a key has been compromised or if it's no longer needed, you can revoke it through your KMS. Upon revocation, Blanca's Builder immediately ceases using the compromised key for any data operations. This action ensures that any data previously encrypted with that key becomes unreadable, providing an immediate response to potential security threats. It's crucial to understand the implications of key revocation, as data encrypted solely with a revoked key will become permanently inaccessible.

Keys can have expiration dates set by your KMS provider for additional security. If a BYOK key configured with Blanca's Builder expires, our system will stop using it for any new encryption operations. Any data already encrypted with the expired key will remain encrypted and, depending on your KMS setup, may become inaccessible until a new, valid key is provided or the expired key is re-enabled. Blanca's Builder will issue alerts and notifications regarding expiring or expired keys to give you ample time to take corrective action.

To recover from an expired key, you generally have two options: either extending the expiration date of the existing key within your KMS, or creating a new key and associating it with your Blanca's Builder account as a replacement. It's essential to have a robust key management plan in place, including regular monitoring of key status and predefined procedures for handling expired keys, to ensure continuous access to your encrypted data.