Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > GDPR Compliance > Customer-Owned vs. Customer-Managed Encryption Keys: What’s the Difference and Why It Matters
Customer-Owned vs. Customer-Managed Encryption Keys: What's the Difference and Why It Matters

Customer-Owned vs. Customer-Managed Encryption Keys: What’s the Difference and Why It Matters

by Danielle Barbour updated November 21, 2025 GDPR Compliance
Reading Time: 14 minutes

Who controls the keys that decrypt your sensitive data? This question determines whether your organization achieves genuine data privacy or simply creates an illusion of security. Cloud providers offer encryption by default, and many organizations assume their data remains protected as long as files are encrypted. However, encryption strength matters far less than key control when cloud providers retain the technical ability to access your encryption keys and decrypt your data without your knowledge or consent.

Three distinct encryption key management models exist: provider-managed keys, customer-managed keys (BYOK), and customer-owned keys (HYOK). Each model offers different levels of control over who can access your encrypted data. The distinction between managing keys and owning them becomes critical when government agencies issue subpoenas, when compliance frameworks require demonstrable data sovereignty, or when organizations need to prove that even their cloud provider cannot access sensitive information.

Executive Summary

Main Idea: Customer-managed encryption keys (BYOK) remain in the cloud provider’s environment where providers can access them in response to legal requests, while customer-owned keys (HYOK) stay under exclusive customer control and prevent provider access entirely.

Why You Should Care: Organizations using provider-managed or BYOK encryption face data privacy risks from government access requests under the CLOUD Act, provider insider threats, and compliance failures under frameworks requiring true data sovereignty like GDPR post-Schrems II and CMMC Level 3.

5 Key Takeaways

1. Customer-managed keys (BYOK) and customer-owned keys (HYOK) represent fundamentally different security models despite similar names. BYOK stores customer-generated keys in the provider’s key management service where providers retain technical access, while HYOK keeps keys exclusively under customer control in on-premises HSMs or private infrastructure.

2. The CLOUD Act enables US law enforcement to compel cloud providers to decrypt customer data stored anywhere in the world, often without notifying the customer. This legal framework means BYOK encryption provides no protection against lawful government access through your cloud provider, regardless of where data physically resides.

3. Data sovereignty and data privacy are distinct concepts that require different technical controls. Storing data in a specific geographic region (sovereignty) does not prevent your cloud provider from accessing it when they control encryption keys, making key ownership essential for genuine privacy protection.

4. Compliance frameworks increasingly require customer-owned encryption keys after the Schrems II ruling invalidated US-EU data transfers. GDPR, NIS2, CMMC Level 3, and FedRAMP High now effectively mandate encryption models where providers cannot access customer data.

5. The operational trade-offs of customer-owned keys involve complexity and cost, not security or functionality. Organizations can maintain the same encryption strength and application performance with HYOK while gaining genuine privacy protection, though key management requires additional infrastructure and expertise.

A Complete Checklist of GDPR Compliance

Read Now

The Three Encryption Key Management Models

What Are Provider-Managed Encryption Keys?

Provider-managed encryption represents the default model where cloud providers generate, store, and manage all encryption keys within their infrastructure.

When organizations upload data to cloud storage, the provider automatically encrypts it using keys the provider controls. This approach requires no customer configuration and operates transparently. The provider handles key rotation, backup, and all lifecycle management activities. Customers receive encrypted storage without needing encryption expertise or key management infrastructure.

However, this model creates fundamental privacy vulnerabilities. The provider possesses both encrypted data and the keys to decrypt it, meaning they can access customer data whenever they choose or are legally compelled to do so. Law enforcement agencies can subpoena the provider to decrypt and hand over customer data. Provider employees with appropriate access can view encrypted information. Security breaches that compromise provider systems expose both data and keys simultaneously.

When provider-managed keys are acceptable:

  • Non-sensitive data with no regulatory requirements
  • Internal development and testing environments
  • Public information that requires only integrity protection
  • Organizations that fully trust their cloud provider’s security and legal compliance

What Is Bring Your Own Key (BYOK)?

BYOK encryption allows customers to generate encryption keys in their own environment and upload them to the cloud provider’s key management service.

Customers create keys using their own cryptographic tools, then transfer those keys to the provider’s KMS infrastructure such as AWS KMS, Azure Key Vault, or Google Cloud KMS. The provider stores customer keys separately from provider-generated keys and applies additional access controls. Customers can revoke keys or delete them from the provider’s KMS, rendering their data unreadable. This model gives customers more control over key lifecycle while the provider handles the operational complexity of key storage and cryptographic operations.

The critical limitation is that BYOK keys reside in the provider’s environment. The provider’s systems perform all encryption and decryption operations, meaning provider infrastructure must have access to key material. While providers implement strict access controls and audit logging, they retain the technical capability to use customer keys. Law enforcement can compel providers to use BYOK keys to decrypt customer data. Provider administrators with sufficient privileges can access key material. Security breaches affecting the provider’s KMS infrastructure could expose customer keys.

BYOK implementation process:

  1. Customer generates encryption keys using local cryptographic tools or HSMs
  2. Customer securely transfers keys to provider’s KMS via encrypted channels
  3. Provider stores keys in their KMS infrastructure with customer-specific access policies
  4. All encryption/decryption operations occur within provider environment using customer keys
  5. Customer can rotate, revoke, or delete keys through provider’s management interface

BYOK limitations for privacy protection:

  • Keys stored in provider’s KMS infrastructure
  • Provider can access keys for legal compliance, administrative purposes, or if compromised
  • CLOUD Act enables government access through provider without customer notification
  • Provider employees with appropriate access can use keys to decrypt data

What Is Hold Your Own Key (HYOK)?

HYOK keeps encryption keys exclusively under customer control in on-premises hardware security modules or private cloud infrastructure that the provider never accesses.

Customers generate and store keys in their own HSMs or key management systems. When cloud applications need to encrypt or decrypt data, they send requests to the customer’s key management infrastructure rather than using provider-managed keys. The encryption keys never enter the provider’s environment, and the provider has no technical ability to access them. This architecture enables zero-knowledge systems where the provider cannot decrypt customer data even if legally compelled to do so.

HYOK provides genuine privacy protection because providers lack access to decrypt customer information. Law enforcement subpoenas directed at the provider cannot yield decrypted data since the provider does not possess encryption keys. Provider security breaches do not expose key material. Provider administrators cannot access encrypted content regardless of their privilege level. Only the customer organization controls when and how encryption keys are used.

HYOK implementation approaches:

  • On-premises HSMs integrated with cloud workloads
  • Private cloud deployment where customer controls entire infrastructure
  • Hybrid architectures with customer key servers and provider compute resources
  • Air-gapped systems for maximum security requirements

HYOK benefits for privacy:

  • Keys never leave customer control
  • Provider has no technical ability to decrypt data
  • Protection against lawful government access through provider
  • Customer controls all key lifecycle operations without provider involvement

Why Provider Key Access Destroys Data Privacy

How Does the CLOUD Act Enable Government Access Without Customer Knowledge?

The Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US law enforcement to compel American technology companies to provide data stored anywhere in the world, regardless of where that data physically resides.

Passed in 2018, the CLOUD Act resolved a legal dispute about whether US warrants could compel companies to produce data stored on foreign servers. The law established that US-based cloud providers must comply with valid US legal process for any data they control, making geographic data location irrelevant when providers hold encryption keys. Law enforcement can obtain a warrant or subpoena requiring the provider to decrypt and hand over customer data. The provider must comply regardless of whether data resides on servers in Europe, Asia, or anywhere else.

National security letters often include gag orders preventing providers from notifying customers that their data has been accessed. Customers using provider-managed or BYOK encryption may never learn that law enforcement decrypted and reviewed their sensitive information. The provider possesses the technical capability to use encryption keys, law enforcement possesses the legal authority to compel that use, and customers possess no technical control to prevent access.

This framework means that data sovereignty measures like storing data in specific geographic regions provide no privacy protection when providers control encryption keys. European data stored on European servers remains accessible to US law enforcement if an American cloud provider holds the encryption keys.

CLOUD Act implications for encryption models:

  • Provider-managed keys: Provider can decrypt data upon receiving valid legal process
  • BYOK keys in provider KMS: Provider can use customer keys to decrypt data when legally compelled
  • HYOK keys in customer control: Provider cannot decrypt data because they lack access to keys

What Is the SHIELD Act and Why Isn’t It Sufficient?

The Securing and Handling of Internet and Electronic Data (SHIELD) Act, proposed but not yet enacted, attempts to prevent foreign governments from accessing US data through cloud providers.

The legislation would prohibit cloud providers from complying with foreign government requests for US person data without US court approval. It aims to create reciprocal protections similar to what the CLOUD Act provides for US law enforcement accessing foreign-stored data. However, even if passed, the SHIELD Act would not address US government access to customer data, would not eliminate provider technical ability to decrypt customer information, and would not change the fundamental privacy vulnerability of provider-controlled encryption keys.

Organizations concerned about data privacy cannot rely on proposed legislation that may never pass and would not address the core issue of provider key access. Technical controls through customer-owned encryption keys provide reliable privacy protection regardless of legislative changes.

Why proposed legislation cannot replace technical controls:

  • Laws can change or be repealed
  • Enforcement varies by jurisdiction and political climate
  • Gag orders prevent customers from knowing when access occurs
  • Technical controls like HYOK eliminate provider capability to access data regardless of legal framework

How Did Schrems II Change Data Sovereignty Requirements?

The 2020 Schrems II ruling by the European Court of Justice invalidated the Privacy Shield framework that allowed US companies to transfer EU personal data to the United States.

The court found that US surveillance laws, particularly FISA Section 702 and Executive Order 12333, do not provide adequate protections for EU citizens’ data. American cloud providers subject to US law cannot guarantee that EU data remains private from US government access. The ruling specifically noted that US law allows intelligence agencies to access data held by US companies without adequate judicial oversight or remedies for EU citizens.

This decision fundamentally changed how European organizations must approach cloud encryption. Simply storing data in EU regions does not satisfy GDPR requirements if American providers control encryption keys and can be compelled to decrypt that data under US law. The ruling effectively requires technical measures that prevent provider access, pushing organizations toward customer-owned encryption keys or private deployment models.

Schrems II implications for key management:

  • EU organizations cannot rely on contractual data protection agreements alone
  • Technical controls preventing provider access now required for US-EU data transfers
  • Customer-owned encryption keys enable GDPR compliance by eliminating provider ability to access data
  • NIS2 Directive reinforces requirements for entities in critical sectors

What Compliance Frameworks Require Customer Key Ownership?

Regulatory requirements increasingly mandate encryption models where providers cannot access customer data, particularly for government contractors, critical infrastructure, and entities handling EU personal information.

CMMC Level 3 for defense contractors handling Covered Defense Information requires that cryptographic mechanisms be used to prevent unauthorized disclosure during transmission and while at rest. The framework’s emphasis on CUI protection and its alignment with NIST 800-172 enhanced security requirements effectively mandate customer-controlled keys that prevent provider access to classified or sensitive defense information.

FedRAMP High authorization and DoD Impact Level 5 workloads require cryptographic protections that prevent cloud providers from accessing customer data. These frameworks assume that data handled by federal agencies or defense systems requires protection from all parties outside the customer organization, including the hosting provider.

GDPR Article 32 requires appropriate technical measures to ensure data security, and post-Schrems II guidance indicates that encryption alone is insufficient when providers control keys and can be compelled to decrypt data under foreign law. Organizations transferring EU personal data to countries without adequate data protection laws must implement supplementary measures, with customer-owned encryption keys representing one of the few technical controls that satisfies this requirement.

Compliance frameworks favoring customer key ownership:

  • CMMC Level 3 for CUI protection in defense supply chain
  • FedRAMP High and DoD IL5 for federal agency data
  • GDPR for EU personal data transferred to third countries post-Schrems II
  • NIS2 for essential and important entities in critical sectors
  • German BDSG and French data sovereignty requirements

Technical Implementation: How Each Model Works

How Do Cloud Providers Implement BYOK?

Cloud providers implement BYOK through key management services that accept customer-generated keys while maintaining operational control over the encryption infrastructure.

Customers generate encryption keys using local tools such as OpenSSL, cloud provider CLIs, or hardware security modules. The customer then uploads the key material to the provider’s KMS through secure API calls that use TLS encryption to protect keys during transit. The provider stores customer keys in their KMS infrastructure, often in FIPS 140-2 validated HSMs, with access controls that limit which customer accounts and services can use each key.

When applications need to encrypt data, they call the provider’s KMS API to perform the operation. The KMS uses the customer’s key to encrypt the data and returns the ciphertext. Decryption works similarly, with the application sending ciphertext to the KMS, which uses the customer key to decrypt it and returns plaintext. All cryptographic operations occur within the provider’s infrastructure using customer keys that reside in the provider’s systems.

BYOK workflow:

  1. Customer generates key using local cryptographic tools
  2. Customer uploads key to provider KMS via encrypted API call
  3. Provider stores key in their KMS with customer-specific access policies
  4. Applications request encryption/decryption operations from provider KMS
  5. Provider KMS performs cryptographic operations using customer key
  6. Provider returns results to application

How Does HYOK Maintain Customer Control?

HYOK implementations keep encryption keys in customer-controlled infrastructure and perform cryptographic operations outside the provider’s environment.

Customers deploy on-premises HSMs or key management systems that never synchronize keys to provider infrastructure. When cloud applications need to encrypt or decrypt data, they connect to the customer’s key management system over secure network connections. The customer’s infrastructure performs the cryptographic operation and returns results, ensuring keys never leave customer control. Some implementations use private cloud deployment where the customer controls the entire infrastructure stack, making provider access technically impossible.

Advanced HYOK architectures implement application-layer encryption where data is encrypted on client devices before transmission to cloud storage. The cloud provider receives only ciphertext and has no mechanism to decrypt it. This approach enables zero-knowledge systems where the provider literally cannot access customer data regardless of legal compulsion.

HYOK workflow:

  1. Customer deploys HSM or key management system in their infrastructure
  2. Customer generates and stores all encryption keys locally
  3. Cloud applications connect to customer key management system
  4. Customer system performs encryption/decryption operations
  5. Keys never leave customer control or enter provider environment
  6. Provider receives only encrypted data and cannot decrypt it

Security and Compliance Implications

What Threats Does Customer Key Ownership Prevent?

Customer-owned encryption keys eliminate entire categories of threats that remain unaddressed by provider-managed or BYOK models.

Law enforcement access through provider compliance disappears when providers lack decryption capability. Subpoenas and warrants directed at the provider cannot yield decrypted data because the provider does not possess encryption keys. Intelligence agencies cannot compel providers to enable surveillance when providers have no technical access to decrypt customer information. This protection applies regardless of which government makes the request and regardless of the legal framework compelling disclosure.

Malicious cloud provider insiders cannot access customer data when keys remain outside provider infrastructure. Provider security breaches that compromise administrative systems, KMS infrastructure, or backup systems do not expose encryption keys or enable data decryption. Third-party auditors, managed service providers, and other parties with provider system access cannot decrypt customer data.

Threats mitigated by customer key ownership:

  • Government access through lawful provider compliance (CLOUD Act scenarios)
  • Provider insider access to encrypted data
  • Provider security breaches exposing both data and keys
  • Cross-border data access bypassing data sovereignty protections
  • Third-party access through provider systems or partnerships

What Are the Operational Trade-offs?

Customer-owned encryption keys introduce operational complexity and cost that organizations must weigh against privacy and compliance benefits.

Performance impacts vary by implementation approach. HYOK solutions that require network calls to customer key management systems add latency to encryption operations compared to provider-native KMS. Organizations must ensure reliable network connectivity between cloud workloads and on-premises key management infrastructure. However, private deployment models where customers control the entire infrastructure eliminate cross-network latency while maintaining key ownership.

Availability and disaster recovery become more complex when customers manage encryption keys. Organizations must implement HSM redundancy, key backup procedures, and recovery mechanisms without relying on provider-managed solutions. Key management requires specialized expertise that many organizations lack in-house. The cost of HSM hardware, secure facilities, and skilled personnel exceeds the zero additional cost of provider-managed encryption.

Operational considerations:

  • Performance: Potential latency for cross-network key operations vs. provider-native KMS
  • Availability: Customer responsibility for key infrastructure redundancy and disaster recovery
  • Complexity: Requires encryption expertise and key lifecycle management procedures
  • Cost: HSM hardware, facilities, personnel vs. free provider-managed encryption

When Is HYOK or Private Deployment Required?

Certain compliance requirements, threat models, and data sensitivity levels make customer-owned encryption keys mandatory rather than optional.

Organizations handling CUI for defense contracts at CMMC Level 3 must prevent provider access to satisfy enhanced security requirements. Federal agencies processing Impact Level 5 data or seeking FedRAMP High authorization need cryptographic protections where providers cannot decrypt information. European organizations transferring personal data to US-based providers after Schrems II must implement technical measures that prevent US government access through provider compliance.

Zero-trust architecture implementations that assume all network segments and service providers are potentially compromised require customer-owned keys. Organizations in adversarial threat environments where nation-state actors may attempt to compel provider cooperation need encryption models where providers lack technical capability to assist. Critical infrastructure entities under NIS2 requirements must demonstrate that essential services remain protected even if cloud providers face security incidents or legal compulsion.

Scenarios requiring customer key ownership:

  • CMMC Level 3 CUI protection for defense contractors
  • FedRAMP High and DoD IL5 federal agency workloads
  • GDPR-compliant EU-US data transfers post-Schrems II
  • Government and defense classified information systems
  • Financial services intellectual property and trading algorithms
  • Healthcare systems protecting patient privacy from all external parties

Your Data Privacy Needs Trump All Other Encryption Key Variables and Decisions

The distinction between customer-managed and customer-owned encryption keys determines whether organizations achieve genuine data privacy or merely create an illusion of security. BYOK models that store customer-generated keys in provider infrastructure still enable provider access when legal processes compel cooperation or when security breaches compromise provider systems. The CLOUD Act and similar legal frameworks make geographic data location irrelevant when providers control encryption keys and can be compelled to decrypt customer information without notification.

Customer-owned encryption keys through HYOK implementation or private deployment represent the only model that protects against lawful government access through providers, provider insider threats, and the compliance failures that result when providers can access encrypted data. Organizations subject to CMMC Level 3, FedRAMP High, or post-Schrems II GDPR requirements increasingly find that customer key ownership has shifted from optional security enhancement to mandatory compliance requirement.

The operational trade-offs involve complexity and cost rather than security or functionality. Organizations can maintain the same encryption strength and application capabilities with customer-owned keys while gaining the privacy protection that compliance frameworks now demand. Kiteworks delivers this capability through private deployment options that give customers complete control over encryption keys, eliminate provider access to sensitive data, and enable genuine data sovereignty that satisfies the most stringent regulatory requirements.

How Kiteworks Delivers Customer-Controlled Encryption

Kiteworks implements customer-owned encryption through private deployment options that give organizations complete control over encryption keys and data access.

The Private Content Network architecture deploys on-premises, in private cloud environments, or in air-gapped networks where customers control the entire infrastructure stack. AES-256 encryption protects all data at rest using keys that never leave customer infrastructure. Kiteworks employees and support personnel cannot access customer encryption keys or decrypt customer data, enabling true zero-knowledge architecture.

Hardware Security Module integration provides FIPS 140-2 Level 3 protection for encryption keys with tamper-resistant hardware under exclusive customer control. Organizations can implement their own key management procedures, rotation schedules, and access controls without Kiteworks involvement. The platform supports both on-premises HSM appliances and customer-managed cloud HSM services.

Private deployment eliminates the data privacy vulnerabilities inherent in multi-tenant cloud architectures. Law enforcement subpoenas cannot compel Kiteworks to decrypt customer data because Kiteworks lacks the technical ability to do so. The CLOUD Act becomes irrelevant when the service provider never possesses customer encryption keys. Organizations achieve genuine data sovereignty that satisfies post-Schrems II requirements for GDPR compliance.

The platform consolidates secure email, file sharing, managed file transfer, and web forms into a unified environment with consistent encryption and access controls. This approach eliminates the security gaps created when organizations use separate point solutions with different key management models for different communication channels.

To learn more about maximizing data privacy with customer-owned encryption keys, schedule a custom demo.

Frequently Asked Questions

Yes, cloud providers can access BYOK-encrypted data because customer keys reside in the provider’s key management infrastructure. The CLOUD Act enables US law enforcement to compel providers to use customer keys to decrypt data, often with gag orders preventing customer notification. Providers can also access keys for administrative purposes, during security incidents, or if insider threats compromise their systems. Only customer-owned keys in HYOK models prevent provider access.

CMMC Level 3 requires enhanced security controls for CUI protection that effectively mandate HYOK implementation. BYOK stores keys in the provider’s environment where providers retain technical access, failing to satisfy requirements that providers cannot access defense contractor data. HYOK keeps keys exclusively under contractor control in on-premises HSMs or private infrastructure, preventing provider access and enabling compliance with NIST 800-172 enhanced security requirements.

The CLOUD Act allows US law enforcement to compel American cloud providers to decrypt data regardless of storage location. Even if your data resides on European servers with BYOK keys generated in Europe, US-based providers can be legally required to use those keys to decrypt your information because the keys reside in their KMS infrastructure. Geographic data location provides no privacy protection when providers control encryption keys and face legal compulsion under US law.

HYOK implementations that require network calls to customer-hosted key management systems add latency compared to provider-native KMS, typically 10-50 milliseconds per cryptographic operation depending on network topology. However, private deployment models where customers control the entire infrastructure eliminate cross-network latency while maintaining key ownership. Organizations can implement caching, session key strategies, and application-layer encryption to minimize performance impact while preserving privacy benefits.

European data protection authorities increasingly indicate that GDPR Article 32 technical measures must prevent US provider access to satisfy post-Schrems II requirements. Standard contractual clauses alone are insufficient when US providers can be compelled under the CLOUD Act to decrypt data. Customer-owned encryption keys through HYOK implementation or private deployment represent one of the few technical controls that eliminate provider capability to access EU personal data, making them effectively mandatory for EU-US transfers involving US cloud providers.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks