Bring Your Own Key (BYOK)

Bring Your Own Key (BYOK) is an additional security functionality that allows customers to retain full control over their stored data by managing their own encryption keys via an external Azure Key Vault. This functionality offers a higher level of control and can be seamlessly integrated into existing security structures. Organizations can thus ensure that their sensitive data remains secure and under their control while Jedox encrypts the data at rest using these keys.

Benefits

  • Customers control their own encryption keys and store them in their self-hosted Azure Key Vault.
  • Jedox uses these encryption keys to encrypt data stored on the disk (data at rest).
  • Customers can revoke Jedox’s access to their data at any time by revoking access to their encryption keys.

Use cases

Encryption key revocation

Customers can revoke Jedox’s permission to the encryption keys and thus effectively block access to their stored data. This ensures data protection, especially when the contract with Jedox ends. As soon as access is restored, the Jedox instance can resume operations without any data loss.

Custom key generation

Customers can generate encryption keys using their preferred methods, such as:

  • Any method of key generation that meets the company's requirements and legal regulations.

  • The option to use a Hardware Security Module (HSM) for locally generated encryption keys.

Technical requirements

To use BYOK, customers must provide their own Azure Key Vault. This approach ensures additional flexibility for key management.

Self-hosted Azure Key Vault

  • The Key Vault must be hosted on the customer’s own Azure tenant.

  • Customers are responsible for maintaining and securing their Azure Key Vault

Integration steps with Jedox

  1. Customers set up their Azure Key Vault.

  2. Customers share the Key Vault URL and credentials with Jedox.

  3. Customers store encryption keys in the Key Vault.

  4. Jedox accesses these keys to encrypt the data at rest.

Security considerations

Control over access

Customers maintain full authority over their encryption keys, ensuring that only authorized users can manage them.

Continuous security monitoring

Jedox applies security patches continuously to ensure data protection, whereby customers remain responsible for securing their Key Vault.

Frequently Asked Questions

BYOK applies to all cloud instances on the customer's account.

If the encryption key is lost, the encrypted data cannot be recovered. It is the customer's responsibility to store and manage their encryption keys securely.

No, BYOK encrypts only data at rest. Data in transit (loaded into the Kubernetes cluster) is not covered by BYOK.

If the customer revokes access, Jedox will no longer be able to decrypt data at rest. Once access is restored, the instance will function as before without data loss.

Yes, the customer can generate encryption keys using a HSM before storing them in the Azure Key Vault.

No, BYOK requires the use of an Azure Key Vault. Other Key Vault solutions are not supported.

BYOK helps organizations meet strict compliance requirements by allowing full control over encryption mechanisms and ensuring that data remains encrypted according to regulatory standards.

Updated April 7, 2026