Bring Your Own Key (BYOK) for Tokenization

ALTR offers the capability for you to control the encryption keys used for tokenization through the use of your own AWS Key Management Service (AWS KMS) encryption keys. This capability enables you to maintain control over your tokenized data, reserving the right to revoke ALTR’s access to your token vault.

How BYOK Works for Tokenization

ALTR uses encryption to protect your data in our SaaS token vault. A different unique key is used for each ALTR organization (tenant) protected by an ALTR-owned AWS KMS key. Organizations using BYOK elect to replace the ALTR-owned AWS KMS key with a client-owned AWS KMS key.

While ALTR has access to the key that you've supplied, it is able to provide tokenization operations. If you revoke access to your key, then ALTR will no longer be able to encrypt or decrypt your token vault. To maintain performance of tokenization operations, ALTR caches certain decrypts for up to 60 minutes.

Prepare Encryption Keys for BYOK

To use BYOK in tokenization, you must share AWS KMS keys with ALTR. To do this, you will need to follow the steps below.

  1. Generate a new AWS KMS Multi-Region Symmetric key in the US-East-1 region.
  2. Update the key policy to include access from ALTR’s AWS Account ARN and an IAM Policy with the proper permissions. Contact ALTR support for ALTR’s AWS Account ID.
  3. Add an IAM policy to the KMS key for ALTR’s external account specifying the permissions required by ALTR for tokenization (Decrypt, Encrypt, Re-encrypt, and Generate Data Key).
  4. Create replica keys in the US-East-2 and US-West-2 regions. The Key Policies for the replica keys must match the original key (they should match by default).
  5. Contact ALTR with your ALTR organization ID and AWS KMS keys ARN from US-East-1 .
    You can find your ALTR organization ID in the Organization Preferences page in ALTR - /settings/preferences/organization.

The screenshots below provide a visual explanation of how to prepare the encryption keys.

Figure 1. Screenshot that shows how to create an AWS KMS Key
Figure 2. Screenshot that shows how to update the AWS KMS key policy
Figure 3. Screenshot that shows where to find the AWS KMS Key ARN and create Replicate Keys (Regionality)
Figure 4. Screenshot that shows how to create new replica keys
Figure 5. Screenshot that shows where to look for the ALTR Organization ID
Figure 6. Sample AWS Key policies

For more information about configuring AWS KMS policies, refer to the AWS KMS documentation.

Frequently Asked Questions

Revoked Access

Question: What happens if an organization revokes ALTR’s access to the AWS KMS key?

Answer: ALTR will no longer be able to access the organization’s tokenized data. Any call to ALTR’s tokenization API for that organization will return an error.

Question: How long does it take for ALTR to lose access to an organization’s token vault once key access is revoked?

Answer: It can take up to 60 minutes for cached information to expire, at which point ALTR will lose access to decrypt an organization’s token vault. After a key is revoked, read and write behavior will fail intermittently until all caches expire.

Multiple AWS KMS Keys

Question: Can an organization use multiple AWS KMS keys?

Answer: ALTR only supports one AWS KMS key per ALTR organization.

Key Rotation

Question: Does ALTR support key rotation for client-supplied keys?

Answer: Yes. However, this requires additional action from ALTR at the time the key is rotated. For more information on client-supplied key rotation, please email

First section of content
Copy Code Snippet