Version: 1.0 | Last Updated: April 2026 | Status: Draft

BYOK/CMK Encryption

Setup Time: 30 minutes

Bring Your Own Key (BYOK) encryption gives enterprise customers complete control over their encryption keys. Your Customer Managed Key (CMK) lives in your AWS account, giving you full sovereignty over your data.

Why BYOK?

Requirement	Without BYOK	With BYOK
Data Sovereignty	ASCEND manages keys	You control keys in your AWS account
Revocation	Request ASCEND to delete	Revoke access instantly by disabling CMK
Audit Trail	ASCEND CloudTrail	Your CloudTrail with full key usage
Compliance	Standard encryption	FedRAMP, HIPAA, PCI-DSS Ready
Key Rotation	ASCEND managed	Your rotation schedule

How It Works

┌─────────────────────────────────────────────────────────────────────────┐
│                          YOUR AWS ACCOUNT                                │
│                                                                          │
│  ┌────────────────────┐                                                 │
│  │   AWS KMS          │                                                 │
│  │   ┌────────────┐   │                                                 │
│  │   │  Your CMK  │   │◀── You create and control this                 │
│  │   └─────┬──────┘   │                                                 │
│  └─────────┼──────────┘                                                 │
│            │                                                             │
│            │ kms:Encrypt / kms:Decrypt                                  │
│            │ (Cross-account access)                                      │
│            ▼                                                             │
└────────────┼─────────────────────────────────────────────────────────────┘
             │
┌────────────┼─────────────────────────────────────────────────────────────┐
│            │              ASCEND PLATFORM                                │
│            ▼                                                             │
│  ┌────────────────────┐      ┌────────────────────┐                     │
│  │   Envelope         │      │   Your Encrypted   │                     │
│  │   Encryption       │─────▶│   Data (DEK)       │                     │
│  │   (DEK wrapped     │      │                    │                     │
│  │    by your CMK)    │      │   Only decryptable │                     │
│  └────────────────────┘      │   with your CMK    │                     │
│                              └────────────────────┘                     │
└──────────────────────────────────────────────────────────────────────────┘

Envelope Encryption

Data Encryption Key (DEK) — Generated by ASCEND for each encryption operation
Your CMK wraps the DEK — DEK is encrypted with your key before storage
Decryption requires your CMK — Without your key, data is unreadable

FAIL SECURE Design

Critical Security Design

BYOK is designed to FAIL SECURE. This protects your data but means:

If your CMK becomes inaccessible → Data operations are blocked
If you revoke ASCEND's access → Data becomes unreadable
If you delete your CMK → Data is permanently lost

Scenario	Result	Recovery
CMK temporarily unavailable	Operations blocked	Restore CMK access
CMK access revoked	Data unreadable	Re-grant access
CMK deleted	Data permanently lost	No recovery possible
CMK key material deleted	Data permanently lost	No recovery possible

Prerequisites

Before enabling BYOK, ensure you have:

AWS Account with KMS permissions
IAM user/role that can create KMS keys
ASCEND Enterprise subscription
Admin access to your ASCEND organization

Quick Start

Step 1: Create Your CMK in AWS

aws kms create-key \
  --description "ASCEND BYOK encryption key" \
  --key-usage ENCRYPT_DECRYPT \
  --origin AWS_KMS

Step 2: Grant ASCEND Cross-Account Access

Add this key policy to allow ASCEND to use your key:

{
  "Sid": "Allow ASCEND to use key",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<ASCEND_AWS_ACCOUNT_ID>:role/ascend-byok-service"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Step 3: Register Your Key with ASCEND

curl -X POST https://pilot.owkai.app/api/v1/byok/keys \
  -H "Authorization: Bearer $ASCEND_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "cmk_arn": "arn:aws:kms:us-east-2:<YOUR_AWS_ACCOUNT_ID>:key/YOUR_KEY_ID",
    "cmk_alias": "ascend-encryption-key"
  }'

Step 4: Acknowledge Legal Waiver

Before BYOK is activated, you must acknowledge the legal waiver:

curl -X POST https://pilot.owkai.app/api/v1/byok/legal-waiver/acknowledge \
  -H "Authorization: Bearer $ASCEND_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "acknowledge_data_loss_risk": true,
    "acknowledge_key_management_responsibility": true,
    "acknowledge_no_liability": true
  }'

API Endpoints

Endpoint	Method	Description
`/api/v1/byok/keys`	POST	Register your CMK
`/api/v1/byok/keys`	GET	Get current key status
`/api/v1/byok/keys`	DELETE	Revoke/remove registered key
`/api/v1/byok/keys/rotate`	POST	Trigger DEK rotation
`/api/v1/byok/health`	GET	Check key health status
`/api/v1/byok/audit`	GET	View BYOK audit log
`/api/v1/byok/legal-waiver`	GET	Get legal waiver text
`/api/v1/byok/legal-waiver/acknowledge`	POST	Acknowledge waiver
`/api/v1/byok/legal-waiver/status`	GET	Check waiver status

Compliance

ASCEND BYOK supports your compliance program for the following frameworks:

Standard	Relevant Requirement	How BYOK Helps
SOC 2	CC6.1 Encryption of sensitive data	Customer retains key ownership in their AWS account
PCI-DSS	3.5.1 Key management procedures	Customer manages KMS key lifecycle and access policy
HIPAA	164.312(a)(2)(iv) Encryption	AES-256 envelope encryption with customer-managed CMK
FedRAMP	AC-3 Access enforcement	Cross-account IAM restricts key usage to authorized roles
GDPR	Art. 32 Security of processing	Key residency in customer-selected AWS region

note

BYOK is one component of a comprehensive compliance program. Achieving certification under these frameworks requires additional organizational, procedural, and technical controls beyond key management.

Key Rotation

ASCEND supports both automatic and manual key rotation:

Automatic DEK Rotation

curl -X POST https://pilot.owkai.app/api/v1/byok/keys/rotate \
  -H "Authorization: Bearer $ASCEND_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rotation_type": "dek",
    "reason": "Scheduled quarterly rotation"
  }'

CMK Rotation (Your Responsibility)

Enable automatic rotation in AWS KMS:

aws kms enable-key-rotation --key-id YOUR_KEY_ID

Monitoring

Health Check

curl https://pilot.owkai.app/api/v1/byok/health \
  -H "Authorization: Bearer $ASCEND_TOKEN"

Response:

{
  "status": "healthy",
  "key_status": "active",
  "last_encryption": "2026-04-02T10:30:00Z",
  "last_decryption": "2026-04-02T10:29:55Z",
  "cmk_accessible": true
}

Audit Log

curl "https://pilot.owkai.app/api/v1/byok/audit?limit=100" \
  -H "Authorization: Bearer $ASCEND_TOKEN"

Next Steps

Setup Guide — Detailed step-by-step instructions
API Reference — Complete API documentation
Troubleshooting — Common issues and solutions

Support

For BYOK-related issues:

Email: security@owkai.app
Enterprise Support: Contact your account representative
Emergency: Use your enterprise support hotline

Why BYOK?​

How It Works​

Envelope Encryption​

FAIL SECURE Design​

Prerequisites​

Quick Start​

Step 1: Create Your CMK in AWS​

Step 2: Grant ASCEND Cross-Account Access​

Step 3: Register Your Key with ASCEND​

Step 4: Acknowledge Legal Waiver​

API Endpoints​

Compliance​

Key Rotation​

Automatic DEK Rotation​

CMK Rotation (Your Responsibility)​

Monitoring​

Health Check​

Audit Log​

Next Steps​

Support​