Box Enterprise Key Management – Powered by AWS CloudHSM
In a post on the Box Blog, co-founder Aaron Levie rolled out the new Box Enterprise Key Management (EKM) offering. This product was designed to allow companies to use Box’s content management and collaboration tools while retaining control over their own encryption keys. As he notes in the post, Enterprise Key Management is powered by AWS CloudHSM (read my post, AWS CloudHSM – Secure Key Storage and Cryptographic Operations, to learn more).
Aaron’s post recounts the multi-year journey that they took to get to this point. After exploring and ultimately discarding hybrid systems and client-side encryption, they decided to work with AWS and SafeNet to build a no-compromise (his words) system that balanced ease of use and customer control.
When a customer decides to use EKM, they work with Box to provision a CloudHSM in AWS and an on-premises backup in the customer’s own data center, all connected by secure, dedicated connections.
This model gives each Box customer exclusive control over the keys that are used to encrypt their files (according to the post, a unique key is used for each version of every file stored in Box). the system also maintains a complete set of immutable access logs.
To learn more, read Aaron’s post!