Enabling KeySafe with Amazon Web Services

KeySafe must be configured initially by Box Support and the Amazon Web Services (AWS) requirements for KeySafe must be met before you can enable KeySafe with Amazon Web Services.

1. Go to Admin Console > Enterprise Settings.
2. Select the Security tab.
3. In the KeySafe section, click Enable.
4. Enter your AWS Account ID and Key ID.
5. Select Enable.
6. Select Save.

Multi-region AWS KMS 

To enable multi-region AWS KMS: 

1. Provide your multi-region AWS KMS to Box. 
2. Give permission in AWS for Box to use your backup and primary keys. 

With multi-region AWS KMS: 

• Box automatically detects the primary and backup keys. 
• If there is a temporary outage in one of the KMS locations, Box KeySafe automatically switches to using one of the other locations to ensure seamless Box use.
• If your primary AWS KMS location is inoperable, Box continues to operate using your backup locations, so data remains accessible. 
• Box automatically uses the nearest KMS location to ensure the lowest possible latency to decrypt content.

Optimize zone based on location

Provision your primary key in the AWS region that is closest to your default Box Zone. You can create replica keys in the AWS regions nearest to the Box Zones where your users are located, so they are ready when Box support for multi-region KeySafe is available. 

Our recommendation for the AWS KMS region is based on minimizing latency between Box’s infrastructure and the KMS location, as lower latency directly contributes to a better experience:

We recommend the us-west2 region in the U.S. as it offers lower latency and significantly higher default request quotas compared to other regions. 

If you provision KMS in regions with lower request quotas, you should work with AWS to match your quota to that of us-west2. Otherwise you may encounter issues during traffic surges.