Inferensys

Glossary

Customer-Managed Key (CMK)

An encryption key whose lifecycle, access policy, and storage are fully controlled by the data owner within their own sovereign boundary, preventing the cloud provider from accessing the plaintext data.
Modern secure data center corridor with blue accent lighting, no people, architectural tech aesthetic, natural iPhone-style.
ENCRYPTION KEY MANAGEMENT

What is Customer-Managed Key (CMK)?

A Customer-Managed Key (CMK) is a cryptographic key whose lifecycle, access policy, and storage are fully controlled by the data owner within their own sovereign boundary, preventing the cloud provider from accessing the plaintext data.

A Customer-Managed Key (CMK) is a cryptographic key generated, stored, and governed entirely within the customer's exclusive control plane, typically inside a dedicated Hardware Security Module (HSM) or sovereign key management service. Unlike provider-managed keys, the cloud operator has no technical ability to access the plaintext key material or the data it protects, enforcing a strict separation of duties.

This model implements a Hold Your Own Key (HYOK) architecture, where key operations like rotation, revocation, and auditing are executed against the customer's own infrastructure. By integrating CMKs with envelope encryption, the data encryption key (DEK) is wrapped by the CMK, ensuring that disabling the CMK at the customer's layer renders all dependent ciphertext immediately and cryptographically inaccessible to any external actor.

SOVEREIGN KEY MANAGEMENT

Core Characteristics of a CMK

A Customer-Managed Key (CMK) is the cryptographic anchor of a sovereign data strategy. It transfers ultimate control over data access from the infrastructure provider to the data owner by ensuring the plaintext encryption key exists exclusively within the customer's logical and physical security boundary.

01

Full Lifecycle Control

The defining characteristic of a CMK is that the customer, not the cloud provider, governs the entire cryptographic lifecycle. This includes:

  • Key Generation: Created inside a customer-controlled Hardware Security Module (HSM) or key management server.
  • Rotation: Automated periodic replacement of cryptographic material without provider intervention.
  • Revocation: The ability to instantly destroy the key, rendering all dependent data cryptographically inaccessible (crypto-shredding).
  • Disablement: Temporarily suspending key access to pause all encryption/decryption operations immediately.
02

Strict Access Policy Enforcement

A CMK is governed by a resource-based policy document defined and managed exclusively by the customer. This policy enforces the principle of least privilege by:

  • Defining which principals (users, roles, services) can administer the key versus use the key.
  • Enforcing separation of duties: a user with 'usage' permissions cannot delete or modify the key's schedule.
  • Requiring explicit authorization for cross-account access, preventing the cloud provider's administrative root accounts from decrypting data.
  • Integrating with external authorization systems to mandate just-in-time approval workflows before key usage.
03

External Key Store Origin

For true sovereignty, the CMK's authoritative copy must reside outside the cloud provider's default infrastructure. This is achieved by:

  • External Key Store (XKS): The key material is generated and stored in an on-premises HSM or a sovereign cloud HSM.
  • Proxy Architecture: The cloud service communicates with the external HSM via a secure, authenticated API to request cryptographic operations.
  • No Key Export: The private key material never leaves the customer's HSM boundary; only the results of cryptographic operations are returned.
  • This architecture ensures that even if the cloud's control plane is compromised, the key material remains physically isolated.
04

Envelope Encryption Integration

CMKs rarely encrypt bulk data directly due to performance constraints. Instead, they operate within an envelope encryption hierarchy:

  • Data Encryption Keys (DEKs) are generated locally to encrypt the actual data at high speed.
  • The CMK acts as a Key Encryption Key (KEK) that wraps (encrypts) the DEK.
  • This creates a secure, efficient system where the CMK protects a hierarchy of thousands of data keys.
  • Rotating the CMK only requires re-wrapping the DEKs, not re-encrypting petabytes of stored data, enabling seamless cryptographic agility without massive data processing jobs.
05

Auditability and Tamper-Proof Logging

Every operation involving a CMK generates an immutable audit record, providing the forensic trail required for regulatory compliance. Key logging characteristics include:

  • Write-Once-Read-Many (WORM) storage for all key access logs to prevent tampering.
  • Recording of every Encrypt, Decrypt, ReEncrypt, and Rotate API call, including the requesting principal and source IP.
  • Integration with Security Information and Event Management (SIEM) systems to trigger real-time alerts on anomalous key usage patterns.
  • This log provides non-repudiation, proving definitively who accessed the key and when, which is critical for data lineage and provenance metadata verification.
06

Crypto-Shredding for Instant Data Deletion

A CMK provides a unique security property known as crypto-shredding, which is a highly reliable method for secure data deletion in distributed systems. The process works as follows:

  • Instead of attempting to reliably overwrite every replica of a data object across a distributed storage cluster, the data owner simply revokes and deletes the CMK.
  • All data encrypted under that CMK, and its derived DEKs, instantly becomes indecipherable ciphertext.
  • This is functionally equivalent to deletion but is instantaneous and verifiable via the key management audit log.
  • This technique is particularly powerful for enforcing data residency requirements by ensuring that data which accidentally replicated to a non-compliant region is rendered permanently inaccessible.
ENCRYPTION KEY MANAGEMENT MODELS

CMK vs. Provider-Managed Keys vs. HYOK

Comparison of key ownership, control, and security boundaries across the three primary cloud encryption key management strategies.

FeatureProvider-Managed KeysCustomer-Managed Key (CMK)Hold Your Own Key (HYOK)

Key Generation Location

Cloud provider HSM

Cloud provider HSM (customer-initiated)

Customer on-premises HSM

Key Storage Location

Provider-managed key store

Provider HSM, isolated per customer

Customer-owned HSM only

Key Exportability

Provider Access to Plaintext Key

Customer Controls Key Lifecycle

Automatic Key Rotation

Revocation Latency

< 1 second

< 1 second

Depends on HSM availability

Typical Use Case

Default storage encryption

Regulated workloads requiring auditability

Sovereign data with zero provider trust

CMK DEEP DIVE

Frequently Asked Questions

Explore the critical technical and operational questions surrounding Customer-Managed Keys, the cornerstone of cryptographic sovereignty in sovereign AI infrastructure.

A Customer-Managed Key (CMK) is a cryptographic key whose entire lifecycle—including generation, rotation, access policy, and storage—is fully controlled by the data owner within their own sovereign boundary, not by the cloud provider. Unlike provider-managed keys, a CMK ensures the cloud provider has no technical ability to access the plaintext data. The mechanism relies on a strict separation of duties: the cloud service holds the encrypted data, but the customer holds the key in an external, customer-controlled Hardware Security Module (HSM) or Key Management Service (KMS). When a service needs to decrypt data, it must make an authorized request to the customer's KMS. The KMS validates the request against the customer's defined Identity and Access Management (IAM) policies before performing the cryptographic operation, logging every access attempt in an immutable audit log. This architecture is fundamental to Hold Your Own Key (HYOK) strategies, ensuring that even if a subpoena is served on the cloud provider, the data remains inaccessible without the customer's explicit cryptographic authorization.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.