Encryption Key Management
Host Your Own Keys and Keep Control of Your Data
Virtru’s approach to key management ensures control, privacy, and compliance wherever your data goes.
You shouldn’t have to trust third party vendors to protect and control the keys guarding your critical data, yet that’s what cloud-managed, bring your own key (BYOK) approaches force you to do. But you don’t trust the bank with the key to your safety deposit box, so why let security vendors host and manage the encryption keys securing your data?
Virtru’s approach to key management removes third party trust concerns while fulfilling data residency and data sovereignty requirements. We use a distributed architecture and unique symmetric keys for every email and file, offering heightened security at scale. Virtru Customer Key Server (CKS) adds a layer of protection that lets you directly host encryption keys and integrate with hardware security modules (HSMs) for the highest levels of confidentiality and control. The CKS positions your organization to meet or exceed the most stringent compliance requirements, including CJIS, ITAR, and EAR.
Virtru doesn’t require trusting third parties with access to the keys securing your data. By hosting the keys yourself, you can protect data across cloud environments without added risk and uncertainty, while fulfilling data residency requirements.
Other BYOK solutions force you to trust the vendor with your keys, but Virtru never requires third party trust and prevents blind government subpoenas.
Distributed architecture with dual layers of protection ensures total control over who can access the keys securing your most sensitive data.
We leverage Docker containers and your existing key management infrastructure to support enterprise scale deployments with low maintenance.
Encryption key management options, based on your enterprise requirements and aligned with your existing key management processes.
Your enterprise can be up and running in minutes with our fully-hosted key management option. Virtru Access Control Manager (ACM) provides a front-end layer that authenticates requests for keys and ensures sensitive content is only accessed by authorized parties. Virtru ACM is hosted in AWS to ensure maximum performance and availability.
A unique AES 256-bit symmetric data key is created on the client to protect each email and file, then delivered via a secure TLS-protected channel to Virtru ACM. The Amazon Key Management Service (KMS) protects the symmetric data keys with an additional layer of symmetric encryption that is protected by a set of AWS managed HSMs.
Choose this option to have ultimate control over who can access your data to meet or exceed compliance requirements for CJIS, ITAR, EAR, and more. Prevent any 3rd parties from accessing your data keys, including security and cloud-hosting vendors, or governments who can blind subpoena your providers. Unlike cloud-managed Bring Your Own Key (BYOK) approaches that force you to trust the vendor, Virtru can never access your private keys.
This approach utilizes Virtru Customer Key Server (CKS) and RSA encryption keys hosted in your environment. Your RSA keys are used to encrypt every data key at the client such that it is never transmitted or stored in the clear. Virtru CKS is hosted on-premise or in your private cloud, and uses Docker containers for rapid deployments. Virtru CKS works with ACM to receive and fulfill key requests for authorized users.
Utilize your existing HSM infrastructure and existing key management processes. In this deployment option, your RSA encryption keys are stored in your HSM and Virtru Customer Key Server (CKS) is only used to facilitate communication between HSM and Virtru ACM.
Leveraging the PKCS #11 and KMIP protocols, CKS processes encryption and decryption requests on the Virtru platform by securely accessing HSM-managed private keys. Virtru ACM continues to support authorization workflows on the front-end.
Staying Secured in the Cloud is a Shared Responsibility. Steve Riley, April 2016