DuoKey for AWS XKS
The DuoKey for AWS XKS module is now available for customers who have a regulatory need to store and use their encryption keys outside of the AWS Cloud or on premises
Our products are designed to take cloud security beyond industry standards, guaranteeing no one can access your critical data without authorization.
Protect your Data at Rest stored in AWS Cloud using our innovative MPC Key Management
AWS KMS forwards API calls to securely communicate with DuoKey for AWS XKS, ensuring that key material never leaves the XKS. This solution enables the encryption of data with external keys for most AWS services that support AWS KMS customer-managed keys, such as Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. There is no need to change existing configuration parameters or code for these services.
Built with Security and Privacy in mind
This new capability, which uses secure multiparty computation (MPC) rather than traditional hardware security modules (HSM), offers several significant advantages for customers moving data to AWS AWS has no access to any encryption keys.
Protect your keys
AWS KMS uses DuoKey XKS to unwrap Data Encryption Keys (DEKs) for use by supported services. DEKs protected by our MPC KMS are encrypted by DuoKey XKS. This ensures that DuoKey XKS never sees the customer's keys.
Prevent data-leakage
Organizations can control their risk by using a MPC Key Management System (KMS) solution which is called by AWS XKS Proxy. This allows them to have exclusive control over their keys and data.
Always encrypted
This solution enables the encryption of data with external keys for most AWS services that support AWS KMS customer-managed keys, such as Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services
MPC at scale to externalize your key management
When an AWS service is configured to encrypt data at rest, it requests a unique encryption key, known as the data encryption key, from AWS KMS. To protect these keys, AWS KMS encrypts them with a customer-managed key, also known as a root key. This is called envelope encryption, as the encrypted data and key are stored together.
The root key material is now generated using a secure multi-party computation (MPC) process. This ensures that the key material is never revealed in plain text to any single party, including AWS KMS.
Root keys can be tied to data classification, different AWS services, or project tags, and can be unique to each AWS Region. When you create and manage root keys yourself, they are called customer-managed keys. When they are created on behalf of an AWS service, they are called AWS-managed keys. All KMS encryption and decryption operations happen within the secure environment of the MPC.
- Always MPC decryption is performed
- No third-party can ever access your data
- Monitor who uses your keys
- Dedicated tenant and MPC nodes for storing your keys
Granular Access Control Equals Robust Security
Granular access control provides strong authentication and authorizes individuals to access only the information they are allowed to use and see.
DuoKey has resolved an operational headache for us by letting us managing all keys in one place
Senior Information Security Architect
See our supported Key Vault for storing your encryption keys with AWS XKS
DuoKey AWS XKS can also leverage on industry vendors HSM like ATOS, Thales, Securosys and Entrust but also integrate our innovative MPC KmaaS powered by SEPIOR MPC





