KeySafe is Box's key management service (KMS) that enables you to use your encryption keys to secure your content stored in Box. By leveraging customer-managed encryption keys, KeySafe provides:
- Independent key control
- Unchangeable audit log
- Content kill switch
KeySafe supports Amazon Web Services (AWS) KMS, Google Cloud Platform (GCP) KMS as well as both platforms' Hardware Security Modules (HSM), integrating seamlessly with existing workflows.
KeySafe and Box functionality
Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS. This section codifies specific limitations and supported scenarios when using KeySafe with Box.
KeySafe file encryption
Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.
Known limitations
This section describes Box functionality limitations when using KeySafe:
- Box AI and file content: File content processed by Box AI is decrypted securely at query time using customer-managed keys, so individual file content remains under KeySafe protection.
- AI session data: AI session data and related metadata are not currently KeySafe-compatible.
- Vector store and search capability: The vector store and search capability that power Box AI are not currently KeySafe-compliant.
- Box AI for Hubs embeddings: Vector embeddings for Box AI for Hubs are encrypted with Box-managed keys, not customer-managed keys. Customers can disable Box AI for Hubs if desired.
- Full-text search: Full-text search indexes are encrypted with Box-managed keys. Customers can disable full-text search if desired.
- Metadata: Comments, descriptions, and Metadata are encrypted with Box-managed keys.
Migration from Box
If a customer decides to disable KeySafe, their files will be re-encrypted using Box's standard encryption keys. This process replaces the customer-managed encryption keys with Box-managed encryption keys at a rate of approximately 100 files per second.