Bring-your-own-key (BYOK) for encryption-at-rest

As an operator I can provide my own encryption key that will be the root of trust protecting data at rest. If I remove my key from the OSDU environment, then my data is rendered inert and cannot be decrypted. If I restore my key to the OSDU environment, then my data returns to being usable.

Operator Inputs

  • This is a requirement for ExxonMobil.
  • Chevron requires the use of Chevron's HSM or Azure Key Vault (but does not require BYOK if Azure Key Vault is used).
  • Petronas has indicated that they want to look at BYOK. They also prohibit storing secret data in any cloud, regardless of key management.
  • Repsol: Not required.
  • BP: Cloud provider key management is sufficient at the current time.

Definition of Done

  1. An OSDU operator can BYOK for data storage.
  2. An OSDU operator can remove their key. The data remains in place, but cannot be created, updated, or read.
  3. An OSDU operator can restore their key. The data returns to normal usability.
  4. These three requirements are implemented for all cloud providers (or gaps are documented)
Edited by Paco Hope (AWS)