At legal-i, we use AWS Key Management Service (KMS) for key management. To further ensure the confidentiality of your data, KMS is the origin and secret storage for these keys. The encryption, decryption, and key management processes are regularly audited and reviewed by AWS as part of their existing internal validation processes. Each key is assigned an owner responsible for enforcing an appropriate level of security controls.
We also employ envelope encryption. AWS holds the master key, which we never see, and every request to encrypt or decrypt a key requires the correct AWS roles and permissions. When using envelope encryption to create or generate keys for individual customers, we have various data keys for different data types in our data stores.
Additionally, we have an encryption approach for the internal application layer, which provides backup data keys in other AWS regions. The keys are automatically rotated annually. If desired, we also offer BYOK (Bring Your Own Key) encryption, allowing you to encrypt your cloud product data with self-managed keys in AWS KMS. With BYOK, you have full control over the management of your keys and can grant or revoke access to your data at any time.
AWS KMS can be integrated with AWS CloudTrail in your AWS account to provide logs of all key usages. This solution enables the encryption of your data at various levels within the applications, such as databases, file storage, as well as our internal caches and event queues. Throughout the entire process, there is no impact on product usability.