← All updates

Bring your own key, encrypt a vault with a key you control

Encrypt a vault with an encryption key you hold in your own cloud KMS. You grant SikkerKey access to your key, and every project key in the vault is re-encrypted under it. From then on the key stays under your control: access runs through your own cloud console, and you can revoke it whenever you want.

Setting one up

Open your vault's Settings and find Bring your own key.

1. Grant access. SikkerKey provisions a dedicated service account for your vault and shows its email address. Grant that service account the Encrypt/Decrypt role on your key in your cloud console. The service account's only permission is to wrap and unwrap your vault's key.

2. Connect the key. Paste your key's resource name. SikkerKey verifies it can encrypt and decrypt with the key, then re-encrypts the vault under it in the background.

The card keeps showing the connected key, its location, and the service account address, so you always have what you need to review or re-grant access later. Connecting and disconnecting a key are recorded in the audit log as critical events.

How reads work

Once a vault is on your key, reading any secret takes a live call to your key on every request. That is what puts you in control: while your key is available, reads work normally; revoke SikkerKey's access from your cloud console and reads stop immediately; restore it and they resume. Nothing in the vault can be decrypted while your key is out of reach.

Disconnecting

Disconnecting re-encrypts the vault back under SikkerKey-managed keys. That final step reads through your key once more, so it needs your key to be reachable. If access is unavailable, the vault stays on your key and you can retry the disconnect once access is restored.

Availability

Bring your own key is available on the Enterprise plan. Google Cloud KMS is supported today, with OVH, Scaleway, and AWS planned.

Docs