<img alt="" src="https://secure.weed6tape.com/193471.png" style="display:none;">

External Key Store (XKS) Proxy for Amazon Web Services​

Take control over the cryptographic keys used to protect your data in AWS Key Management Service (KMS)

Download Application Note


Maintain your data sovereignty with Securosys XKS Proxy for AWS External Key Store (XKS)

Fortify your data protection in AWS using encryption keys securely stored inside Securosys on-premises Primus HSMs or their managed HSM service (CloudsHSM) external to AWS.

When you choose AWS KMS External Key Store (XKS), you replace the KMS key hierarchy with a new external root of trust. All root keys are generated and safeguarded within the HSM you provide and operate. When AWS KMS performs encryption or decryption, it communicates with the Securosys HSMs via the Securosys XKS proxy, ensuring robust security throughout the process.

Take charge of your AWS KMS keys confidently, knowing that your cryptographic objects remain protected within the tamper-proof Securosys CloudsHSM or Primus HSM, away from the AWS cloud.

How Securosys XKS Proxy Works

The Securosys XKS Proxy acts as the secure intermediary between AWS KMS and your Securosys Primus HSM or CloudsHSM. It never directly interacts with your HSM and cannot access, manage, or manipulate your keys. All communication between AWS KMS and your cryptographic objects is channeled through the Securosys XKS Proxy.

Deploying the XKS proxy is simple and seamless, facilitated by the user-friendly Securosys XKS Proxy docker image. It can be downloaded from our Securosys Knowledge Base. Deploy the XKS proxy within an AWS EC2 instance or directly within your own environment, giving you complete control over your encryption workloads.



By integrating the Securosys XKS Proxy with your AWS KMS, you gain a multitude of benefits.

Enhanced Data Security
Your cryptographic keys reside outside of the AWS KMS cloud, ensuring that only you can decrypt protected content, guaranteeing AWS does not have access to your private keys.
Highest compliance requirements
Securosys CloudsHSMs and the FIPS140-2 Level 3 and CC EAL 4+ certified Primus HSM empower you to meet stringent compliance requirements. Our transparent approach allows you to review all software code and blueprints, providing peace of mind that neither AWS nor Securosys can access the plain view of your customer data.
Quick and Easy deployment
Swiftly deploy the Securosys XKS proxy, allowing you to focus on safeguarding your sensitive data rather than navigating through intricate setup processes.
Take control over your data in the cloud now

The Securosys XKS Proxy is the best solution if you seek complete control over your sensitive data, need to maintain keys within geographical boundaries, or desire to move critical encryption workloads away from AWS and into the cloud. Download the application note now to learn more.

Choose Securosys XKS Proxy today and take charge of your AWS KMS keys with utmost confidence and security!

Alternatively, if you wish to enhance your AWS Key store by importing the master key generated inside one of your Securosys CloudsHSM or on-premises Primus HSMs, please visit Securosys AWS Bring Your Own Key.