Bring-your-own-key (BYOK) for encryption-at-rest
As an operator I can provide my own encryption key that will be the root of trust protecting data at rest. If I remove my key from the OSDU environment, then my data is rendered inert and cannot be decrypted. If I restore my key to the OSDU environment, then my data returns to being usable.
Operator Inputs
- This is a requirement for ExxonMobil.
- Chevron requires the use of Chevron's HSM or Azure Key Vault (but does not require BYOK if Azure Key Vault is used).
- Petronas has indicated that they want to look at BYOK. They also prohibit storing secret data in any cloud, regardless of key management.
- Repsol: Not required.
- BP: Cloud provider key management is sufficient at the current time.
Definition of Done
- An OSDU operator can BYOK for data storage.
- An OSDU operator can remove their key. The data remains in place, but cannot be created, updated, or read.
- An OSDU operator can restore their key. The data returns to normal usability.
- These three requirements are implemented for all cloud providers (or gaps are documented)