Skip to main content

Bring Your Own Key (BYOK)

Availability: Enterprise plan add-on — this feature is not included by default with the Enterprise plan. Contact your account team to discuss pricing and enablement.

Overview

By default, Akuity Platform encrypts all sensitive data (cluster credentials, API secrets, notification configurations, and more) at rest using Akuity-managed encryption keys.

With Bring Your Own Key (BYOK), you can supply your own encryption key material. Your organization's data will be encrypted exclusively with your key, giving you:

  • Key material ownership — you generate the cryptographic key material used to protect your data
  • Org-scoped isolation — your data is encrypted with a key distinct from other customers
  • Key rotation control — if you ever need to rotate your key, the platform handles re-encryption automatically

This is designed for organizations with strict data governance requirements, compliance mandates (SOC 2 Type II, FedRAMP, HIPAA, etc.), or internal policies requiring customer-supplied key material.

How it works

  1. You generate a key — a 32-byte cryptographically random value, base64-encoded (see below).
  2. You share it with Akuity securely — send the key to your account team via an approved secure channel (e.g., 1Password share link, encrypted email). Do not send it in plain text over Slack or email.
  3. Akuity provisions the key — your account team registers it with the platform, scoped to your organization.
  4. All new writes use your key — from that point forward, any sensitive field written for your organization is encrypted with your key material.
  5. Existing data is migrated — a background re-encryption job re-encrypts any data previously written with the platform-managed key.

Generating a key

Your key must be a 32-byte cryptographically random value, base64-encoded. Use one of the following methods:

Linux / macOS (openssl):

openssl rand -base64 32

Linux / macOS (dd + /dev/urandom):

dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64

The output will be a 44-character base64 string, for example:

4K1tGHHqhJPYSbMgTnfnUsCaZb9P1w7Fl3Xu8Ae1RJA=

Requirements:

  • Exactly 32 bytes of random data (256-bit key)
  • Base64-encoded
  • Generated using a cryptographically secure random source — do not use general-purpose random number generators

Key rotation

If you need to rotate your encryption key (for example, due to a security incident or internal compliance policy), contact your Akuity account team. Here is how the process works:

  1. Generate new key material using the method above.
  2. Share it with your Akuity account team via a secure channel.
  3. The platform provisions the new key as the active key for your organization.
  4. A background re-encryption job migrates existing data to the new key.
  5. The old key remains available for decryption until migration completes, then is retired.

No downtime is required during rotation.

Requirements and limitations

  • Available as a paid add-on for Enterprise plans only — not included by default. Contact your account team.
  • Key provisioning is handled by Akuity — you supply the key material, and your account team registers it on your behalf.
  • Key material must be a 32-byte cryptographically random value, base64-encoded.