These KeySafe KMS Technical Requirements (“KMS Technical Requirements”) apply to Customer’s purchase and use of KeySafe KMS, and Customer understands and acknowledges that in order to achieve a successful and trusted enterprise key management deployment and maintenance, there are on-going requirements that it needs to meet. Failure to undertake these requirements may result in failure of Customer’s KeySafe KMS and Box assumes no liability for any such failure by Customer.
Box may change these KMS Technical Requirements at any time by posting an updated version here, and such updates will be effective upon posting.
Customer must take reasonable steps to ensure that the Customer-owned key encryption keys (“C-KEKs”) are properly protected.
Third Party Providers
- In consultation with the Box consulting team (“Box Consulting”), Customer must contract with a Box KeySafe-approved Hosting Partner to achieve high availability and durability of the C-KEKs. For the avoidance of doubt, KeySafe KMS can only be hosted with a Box KeySafe KMS-approved Hosting Partner.
- Customer is required to maintain a separate and unique Box-approved KeySafe KMS-Hosting Partner account specifically dedicated to KeySafe KMS. For clarity, such account may not be utilized for any purpose other than KeySafe KMS.
- Customer is required to purchase and maintain support from the Box-approved Hosting Partner for KeySafe KMS.
- Customer is required to maintain dedicated encryption key(s) in KeySafe KMS solely for the purpose of encryption and decryption operations performed by Box. For clarity, KeySafe KMS encryption key(s) must not be shared with other applications or services for encryption and decryption operations.
- If Customer uses AWS CloudHSM for storing C-KEK as part of the AWS KSM Custom Key Store offering, the Customer is required to purchase a minimum of three (3) instances of AWS CloudHSM and place them in different availability zones. Box recommends Customer works closely with Box to monitor the usage during onboarding of additional User Accounts to determine if additional instances of AWS CloudHSM(s) are needed to achieve high availability and durability of the C-KEKs. In any event, if Customer anticipates (a) more than 100,000 User Accounts; (b) material data migration; or (c) material changes in its use of KeySafe, then Customer will engage with Box Consulting to determine the minimum instances of AWS CloudHSMs.
Enabling KeySafe KMS on a Customer's instance of the Box Service requires Customer to provide certain information to Box to enable setup and support for KeySafe KMS, including but not limited to:
- Encryption KeyID
- Access Key
- Secret Access Key
Data Center Requirements
- As of the current version of these KMS Technical Requirements, Customer is required to provision KeySafe KMS in either: (i) AWS us-west-1 region; or (ii) AWS us-west-GovCloud (collectively, “KeySafe Service Provider Hosting Locations”).
- In the event Box relocates the Box data centers within the United States, and in order to maintain KeySafe KMS functionality and performance, Customer may be required to transition KeySafe KMS to a hosting location in close proximity to the relocated Box data centers within sixty (60) days of written notice from Box.
- Customer shall engage with Box Consulting prior to migration between any KeySafe Service Provider Hosting Locations. All such migrations require the assistance of Box Consulting and the separate purchase of professional and training services from Box.
Log Aggregation Tool
In order to purchase and use KeySafe KMS, it is recommended that Customer own and maintain a log aggregation tool (“Aggregation Tool”), and consume the KeySafe KMS logs through that Aggregation Tool.
Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS.
- As of the current version of these KMS Technical Requirements, Box Service functionality limitations include:
- Full text search of the files needs to be disabled
- Any 3rd party eDiscovery integration that relies solely on Box Search APIs
- KeySafe KMS is not encrypting comments, descriptions and metadata with C-KEKs
- Migration off of the Box Service:
- Customers using KeySafe KMS will have their files re-keyed to the non-KeySafe version at a rate of approximately 100 files per second. Box will make reasonable efforts to re-key files as quickly as possible given this limit.
- Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.