Bring your own encryption (BYOE), also known as bring your own key (BYOK), is a cloud computing security model that allows cloud service customers to use their own encryption software and manage their own encryption keys.[1] BYOE enables cloud service customers to utilize a virtual instance of their encryption software alongside their cloud-hosted business applications to encrypt their data.[2] In this model, hosted business applications are configured to process all data through the encryption software. This software then writes the ciphertext version of the data to the cloud service provider's physical data store and decrypts ciphertext data upon retrieval requests.[3] This approach provides enterprises with control over their keys and the ability to generate their own master key using internal hardware security modules (HSM), which are then transmitted to the cloud provider's HSM.[4] When the data is no longer needed, such as when users discontinue the cloud service, the keys can be deleted, rendering the encrypted data permanently inaccessible. This practice is known as crypto-shredding.
Organizations can store data with unique encryption that only they can access.[5] Multiple organizations can share the same hardware infrastructure via cloud services like Amazon Web Services (AWS) or Google Cloud while maintaining encryption to comply with regulations such as HIPAA.
Resource utilization may be higher compared to traditional encryption practices when multiple users share the same hardware and use their own encryption.Efforts to minimize resource utilization issues may potentially impact security benefits.[6]