Bring your own key
Hold the key that unlocks everything.
On Enterprise, every brokered secret is wrapped under a KMS key in your own cloud account. We store only ciphertext and ask your KMS to unwrap on each use. Take away the grant and we can no longer decrypt anything, even though the data never moves.
your KMS · envelope encryption · revoke to cut access
{
"ciphertext": "AQID…",
"wrappedBy": "arn:aws:kms:…:key/acme",
"axiorankCanDecrypt": false
}How it works
We never hold a key we could not lose.
A data key encrypts each secret, then your KMS key wraps that data key. We keep the wrapped blob. To use a secret, we call your KMS to unwrap, an action your KMS logs and you can revoke.
What you get
Control that does not depend on our promises.
BYOK turns a trust relationship into a cryptographic one. The guarantee is enforced by your key, not by our policy.
Plaintext never rests with us
We store the wrapped blob and nothing else. The usable form of a secret only exists in memory, briefly, during a call.
Every unwrap is your audit trail
Each decrypt is a KMS call in your account, so your own logs show exactly when a secret was used.
Wire it up
Grant the role, point the workspace at your key.
Allow our role to call your key, then set the key ARN on the workspace. From then on, the broker wraps with your key.
{
"Sid": "AllowAxioRankEnvelope",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::AXIORANK:role/broker" },
"Action": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "*"
}Pairs with the secrets broker
Keep exploring
Continue across the control plane.
Keep the keys to your own kingdom.
Wrap every brokered secret under a key only your team controls, and make access something you can revoke in one place.