Securosys External Key Management
Proxies for AWS, Azure and Salesforce
Challenge
Organizations increasingly rely on cloud services to store and process sensitive data, but many face strict regulatory, compliance, and sovereignty requirements that demand greater control over encryption keys. While cloud providers offer native key management services, some organizations require cryptographic keys to remain under their own governance and outside the cloud provider's direct control.
Solution
Securosys enables organizations to use AWS, Azure and Salesforce cloud services while keeping cryptographic keys securely stored in Securosys Primus HSM or CloudHSM.
At the core of this architecture is the Securosys Proxy, a secure bridge between the cloud provider's key management services and your dedicated HSM environment. The proxy allows AWS, Azure or Salesforce to request cryptographic operations without ever having access to the underlying key material.
Unlike Bring Your Own Key (BYOK), where keys are imported into a cloud-managed key service, external key management keeps key material under customer control at all times. Cryptographic objects are generated, stored, and governed within your Securosys HSM environment, while cloud services securely communicate with the HSM through the Securosys Proxy.
Organizations retain the ability to revoke the cloud provider's access to their encryption keys at any time by disconnecting the Securosys Proxy or the connection to the HSM environment, ensuring continued control over key access and governance.
This approach helps organizations meet regulatory, compliance, and data sovereignty requirements while continuing to benefit from cloud-native services. Whether deployed on-premises or in the cloud, Securosys HSMs remain the sole location where cryptographic keys are stored and used.
Supported Cloud Platforms
AWS External Key Store (XKS)
AWS External Key Store (XKS) enables AWS Key Management Service (KMS) to use cryptographic keys stored outside AWS. The Securosys XKS Proxy acts as the communication layer between AWS KMS and your Securosys Primus HSM or CloudHSM, enabling AWS services to perform cryptographic operations while key material remains under your control.
Organizations can revoke AWS's ability to perform new cryptographic operations at any time by disconnecting the Securosys XKS Proxy or the connection to the HSM, ensuring continued control over key access and governance.
Deployed as a Docker container within your AWS cloud or on-premises environment, the Securosys XKS Proxy securely forwards requests between AWS KMS and your HSM without accessing cryptographic data. This enables organizations to use AWS services while maintaining key sovereignty and supporting stringent compliance requirements.
Azure external key management in Managed HSM
Azure external key management enables organizations to use customer-controlled cryptographic keys outside the Azure environment while integrating with Azure Key Vault Managed HSM.
When an external key operation is required, Azure Managed HSM communicates with the Securosys External Key Management (EKM) Proxy. The proxy securely forwards the request to a Securosys CloudHSM partition or an on-premises Securosys Primus HSM, where the cryptographic operation is performed. Azure workloads continue to use customer-managed keys through Azure Key Vault Managed HSM, while key material and governance remain under your control.
Delivered as an easy-to-deploy Docker container, the Securosys EKM Proxy can be deployed within Azure or in a customer-controlled environment, either on-premises or in the cloud. It securely connects Azure Managed HSM to your Securosys Primus HSM or CloudHSM using mutual TLS (mTLS), without exposing cryptographic key material.
This model strengthens data sovereignty by separating encrypted Azure workloads from the external cryptographic authority required to access them.
Organizations can also revoke Azure's ability to perform new cryptographic operations at any time by disconnecting the Securosys EKM Proxy or the connection to the HSM, ensuring continued control over key access and governance.
Salesforce Cache-Only Key Service
Salesforce Cache-Only Key Service extends Salesforce Shield Platform Encryption by allowing organizations to use encryption keys managed in Securosys Primus HSM or CloudHSM while benefiting from high performance and reliable cloud operations.
The Securosys Cache-Only Key Proxy securely connects Salesforce to your Securosys HSM environment, where Data Encryption Keys (DEKs) are generated and managed. Retrieved keys are temporarily cached within Salesforce, providing fast encryption and decryption operations while keeping control of the key lifecycle in your dedicated HSM environment.
Delivered as an easy-to-deploy Docker container, the Securosys Cache-Only Key Proxy communicates securely with both Salesforce and your Securosys Primus HSM or CloudHSM. Organizations can revoke Salesforce's ability to retrieve new encryption keys at any time by disconnecting the proxy or HSM connection, ensuring continued control over data access and key governance.
Key Benefits
FAQ
What is external key management?
What is the difference between external key management and BYOK?
Why use external key management?
How does the Securosys Proxy work?
Does the Securosys Proxy have access to my keys?
Can I keep my encryption keys outside my cloud provider?
Yes. Securosys enables AWS, Azure, and Salesforce to use cryptographic keys managed in Securosys Primus HSM or CloudHSM while keeping key material under your control.
For AWS, the Securosys XKS Proxy enables AWS Key Management Service (KMS) to perform cryptographic operations using keys stored outside AWS.
For Azure, the Securosys External Key Management (EKM) Proxy enables Azure Key Vault Managed HSM to securely interact with externally managed keys stored in Securosys HSMs.
For Salesforce, the Securosys Cache-Only Key Proxy enables Salesforce Cache-Only Key Service to retrieve Data Encryption Keys (DEKs) from Securosys HSMs while maintaining customer control over the key lifecycle.
Which cloud platforms are supported?
Where can the Securosys Proxy be deployed?
Is there a free trial?
How much does it cost?
Is the Securosys Proxy available as a managed service?
Who is responsible for managing the Securosys Proxy?
Related Products
Bring Your Own Keys (BYOK)
Enhancing cloud security and compliance with Securosys HSM and BYOK integration
