Skip to main content

Key management modes

ModeDescriptionBest for
Quelden-managedQuelden’s HSM infrastructure holds master keysGetting started quickly
BYOK (Bring Your Own Key)Your cloud KMS holds master keysAWS / Azure / GCP customers
HYOK (Hold Your Own Key)Your on-premise HSM holds master keysAir-gapped, regulated environments
In all three modes, Quelden cannot decrypt your files. The difference is who controls the master key and where it is stored.

AWS KMS (BYOK)

Prerequisites

  • An AWS account with KMS access
  • A symmetric CMK (Customer Managed Key) in your preferred region
  • An IAM role Enclave can assume via cross-account role assumption

Setup

  1. In AWS IAM, create a role enclave-kms-role with the following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::QUELDEN_ACCOUNT_ID:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "YOUR_ORG_EXTERNAL_ID"
      }
    }
  }]
}
  1. Attach a policy allowing kms:Encrypt, kms:Decrypt, kms:GenerateDataKey on your CMK.
  2. In Enclave, navigate to Settings → Key Management → Add KMS and enter:
    • KMS type: AWS
    • Key ARN
    • Role ARN
    • External ID (shown in the Enclave UI)
  3. Click Verify — Enclave will perform a test wrap/unwrap to confirm connectivity.

Azure Key Vault (BYOK)

  1. Create a Key Vault in your Azure subscription
  2. Create an RSA-HSM key (4096-bit recommended)
  3. Register an Enclave service principal in your Azure AD tenant
  4. Grant the service principal Key Wrap and Key Unwrap permissions on the vault
Enter the vault URI and key name in Settings → Key Management → Add KMS.

GCP Cloud KMS (BYOK)

  1. Create a KeyRing and CryptoKey in Cloud KMS
  2. Create a service account with cloudkms.cryptoKeyEncrypterDecrypter role
  3. Download the service account JSON key
  4. Upload it in Settings → Key Management → Add KMS

On-premise HSM via KMIP (HYOK)

Enclave supports any KMIP 1.4+ compliant HSM:
  • Thales Luna Network HSM
  • Entrust nShield
  • Utimaco
  • AWS CloudHSM (KMIP mode)

Configuration

  1. Provision a KMIP client certificate for Enclave (from your HSM admin)
  2. In Enclave: Settings → Key Management → Add KMIP
  3. Enter:
    • KMIP endpoint (host:port)
    • Client certificate (PEM)
    • Client key (PEM)
    • CA certificate (PEM)
Connection is mutual TLS. Enclave never receives your HSM admin credentials.

Key rotation

Key rotation is managed in your KMS. After rotating the master key:
  1. Trigger a re-wrap in Enclave via Settings → Key Management → Rotate
  2. Enclave decrypts existing KEKs with the old master key and re-wraps them with the new one
  3. The rotation event is recorded in the audit log with the old and new key IDs
File ciphertext is not re-encrypted — only the key wrapping layer changes.