Bring Your Own Key (BYOK)

Overview

Bring Your Own Key (BYOK) gives you full control over the encryption keys that protect your data at rest in Zep Cloud. Instead of relying on provider-managed keys, you generate and manage a Customer Managed Key (CMK) in your own AWS KMS account. Zep uses that key—under a narrowly scoped, auditable permission—to encrypt and decrypt the data that belongs to your organization.

Key highlights:

• Customer-controlled encryption: You can rotate, revoke, or disable your CMK at any time, immediately gating access to your encrypted data.
• Envelope encryption model: Zep uses your CMK to derive short-lived data encryption keys (DEKs) for each tenant and storage layer, ensuring strong isolation without adding latency to live requests.
• Comprehensive auditability: All KMS usage is logged in your AWS CloudTrail. Zep maintains matching provider-side audit logs for shared visibility and compliance reporting.
• Separation of duties: Operational staff cannot access both encrypted data and the keys required to decrypt it. Access requires multi-party approvals and is fully logged.

Getting started

1. Provision a CMK in AWS KMS. Use an AWS account you control and enable automatic rotation if required by your policies.
2. Configure a minimal KMS policy. Grant Zep’s BYOK service permissions to generate and decrypt data keys on your behalf. The policy is limited to your tenant scope and can be revoked at any time.
3. Share the CMK ARN with Zep. Your account team will coordinate a secure exchange and validate connectivity in a non-production environment before rollout.
4. Monitor key usage. Enable CloudTrail logging for your CMK. Zep recommends creating alerts for unusual patterns, such as unexpected decrypt attempts or access from unfamiliar regions.
5. Roll out to production. Zep will migrate your tenant to BYOK-backed encryption with no downtime. You retain ongoing control through KMS aliases and policy changes.

FAQ

Can Zep access my data in plaintext?
Routine operations do not require manual access to plaintext data. Automated services decrypt data within isolated, audited environments. In exceptional cases—such as a customer-approved incident investigation—access is governed by strict separation of duties, multi-party approvals, and comprehensive logging. You retain the ability to disable your CMK, which immediately blocks further decryption.

What happens if I disable or delete my CMK?
All encrypted data becomes unreadable. This is by design: the key is the final arbiter of access. Ensure you have internal procedures for emergency restores before disabling or deleting a key.

Does BYOK introduce latency?
No. Zep caches derived data encryption keys securely in memory, so encryption and decryption happen without additional round trips to AWS KMS during live traffic.

Can I rotate keys without downtime?
Yes. You can enable automatic rotation in AWS KMS. Key versions created through rotation are honored automatically, and data encryption keys are re-wrapped in the background. Disabling the key immediately revokes access.

Is BYOK applied to every data store?
Yes. All persistent storage and backups for your tenant use envelope encryption derived from your CMK. Stateless services process data in memory and never persist plaintext content.

Where is my data stored?
Customer data remains within the AWS regions operated by Zep. Data in motion is encrypted with TLS 1.3, and at rest it is encrypted using keys derived from your CMK.

How do I audit KMS activity?
Review the AWS CloudTrail logs generated in your account. Every encrypt, decrypt, and key management action involving your CMK is recorded. Zep maintains corresponding provider-side logs that can be shared under NDA for compliance reviews.

Who is responsible for key lifecycle management?
You own the CMK, including rotation, revocation, and IAM policy management. Zep monitors for key state changes and will notify your administrators if a key action affects service availability.