Skip to main content

Vaulted Tokenization Bring Your Own Key (BYOK)

ALTR's bring your own key (BYOK) feature enables you to leverage your own encryption key to protect your token vault in ALTR. Using BYOK allows you to maintain full control over your data access and it includes the option of revoking all access to your token vault at any time.

ALTR offers the capability for you to control the encryption keys used for tokenization through the use of your own AWS Key Management Service (AWS KMS) encryption keys. This capability enables you to maintain control over your tokenized data, reserving the right to revoke ALTR’s access to your token vault.

How BYOK Works for Tokenization

ALTR uses encryption to protect your data in our SaaS token vault. A different, unique key is used for each ALTR organization and is protected by an ALTR-owned AWS KMS key. Organizations using BYOK elect to replace the ALTR-owned AWS KMS key with a client-owned AWS KMS key.

While ALTR has access to the key that you've supplied, it is able to provide tokenization operations. If you revoke access to your key, then ALTR is no longer be able to encrypt or decrypt your token vault. To maintain performance of tokenization operations, ALTR caches certain decrypts for up to 60 minutes.

Prepare Encryption Keys for BYOK

To use BYOK in tokenization, you must share AWS KMS keys with ALTR.

To share your AWS KMS keys with ALTR to prepare encryption keys for BYOK:

  1. Generate a new AWS KMS Multi-Region Symmetric key in the US-East-1 region.

    byok-1.png
  2. Update the key policy to include access from ALTR’s AWS Account ARN and an IAM Policy with the proper privileges. Contact ALTR Supportfor ALTR’s AWS Account ID.

    byok2.png
  3. Add an IAM policy to the KMS key for ALTR’s external account specifying the privileges required by ALTR for tokenization (Decrypt, Encrypt, Re-encrypt, and Generate Data Key).

  4. Create replica keys in the US-East-2 and US-West-2 regions. The Key Policies for the replica keys must match the original key (they should match by default).

    byok3.png
    byok4.png
  5. Contact ALTR Support with your ALTR organization ID and AWS KMS keys ARN from US-East-1 .

    Note

    Find your ALTR organization ID in ALTR's UI under SettingsPreferencesOrganization.

    byok5.png

The screenshots below provide a visual explanation of how to prepare the encryption keys.

byok-1.png
byok2.png
byok3.png
byok4.png
byok5.png
byok6.png