KeySafe is Box's key management service (KMS) that enables you to use your encryption keys to secure your content stored in Box. By leveraging customer-managed encryption keys, KeySafe provides:
- Independent key control
- Unchangeable audit log
- Content kill switch
KeySafe supports Amazon Web Services (AWS) KMS, Google Cloud Platform (GCP) KMS as well as both platforms' Hardware Security Modules (HSM), integrating seamlessly with existing workflows.
KeySafe and Box Functionality
Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS. This section codifies specific limitations and supported scenarios when using KeySafe with Box.
KeySafe File Encryption
Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.
Known Limitations
This section describes Box functionality limitations when using KeySafe:
- Full-text search: Full-text search indexes are encrypted with Box managed keys. Customers have the ability to disable full-text search, if desired.
- Metadata: Comments, descriptions, and Metadata are encrypted with Box-managed keys.
-
Box AI for Hubs: Box AI is supported in scenarios such as single-document and multi-document queries, where:
- Content is decrypted securely at the time of the AI query using customer-managed keys
- Vector embeddings required for Box AI for Hubs are encrypted with Box-managed keys.
Customers have the ability to disable Box AI for Hubs, if desired.
Migration Off Of Box
If a customer decides to disable KeySafe, their files will be re-encrypted using Box's standard encryption keys. This process replaces the customer-managed encryption keys with Box-managed encryption keys at a rate of approximately 100 files per second.