Quick Answer: What Is CMEK
Customer-managed encryption keys (CMEK) are encryption keys that you create, control, and rotate yourself, instead of letting your cloud or SaaS vendor manage them for you. CMEK gives you the ability to revoke access to your encrypted data at any time, even from the vendor that stores it. Regulated industries handling healthcare, financial, or government data often require CMEK.
What is CMEK?
Customer-managed encryption keys (CMEK) are encryption keys that the customer owns and controls. The vendor stores and processes your data. The customer holds the master key that protects it.
Most SaaS and cloud platforms encrypt customer data by default. Those default keys are created, stored, and rotated by the vendor. That works for most use cases. CMEK works differently. You generate the key in your own key management service (KMS) and grant the vendor permission to use it. If you revoke that permission, the vendor can no longer decrypt your data.
CMEK shifts some operational responsibility back to you. You become accountable for key creation, key rotation, and key destruction.
How does CMEK work?
The mechanics are simple at a high level.
- The customer generates a master key inside their own KMS. Common platforms include AWS KMS, Azure Key Vault, and Google Cloud KMS.
- The customer grants the vendor permission to use that key.
- When the vendor stores customer data, it encrypts the data with a data encryption key (DEK). The DEK is then wrapped using the customer’s master key.
- To read the data, the vendor must ask the customer’s KMS to unwrap the DEK. The customer can audit, deny, or revoke that request at any time.
This pattern is called envelope encryption. It is the standard for cloud-grade CMEK.
What is the difference between CMEK, BYOK, HYOK, and CSEK?
These terms get used interchangeably, but they mean different things.
| Model | Who owns the key | Where the key lives | Typical use case |
| Default (vendor-managed) | Vendor | Vendor’s KMS | Most SaaS, low regulatory burden |
| BYOK (Bring Your Own Key) | Customer | Vendor’s KMS after import | Customer wants to import a known key |
| CMEK (Customer-Managed Encryption Keys) | Customer | Customer’s KMS, used by vendor | Regulated workloads with revocation control |
| HYOK (Hold Your Own Key) | Customer | Customer’s premises only | Highest control, classified or sealed data |
| CSEK (Customer-Supplied Encryption Keys) | Customer | Customer supplies key per request | Narrow use cases, high operational burden |
For most regulated organizations, CMEK is the sweet spot. It gives strong control without the operational headache of HYOK or CSEK.
When do you need CMEK?
Most organizations do not need CMEK. Default vendor-managed encryption is fine for general SaaS workloads. You need CMEK when one or more of the following applies.
Healthcare – The proposed HIPAA Security Rule update would require encryption of ePHI at rest and in transit. CMEK makes that encryption verifiable to auditors and keeps revocation in the covered entity’s hands.
Financial services – PCI DSS, SOX, and several state banking regulations expect strong key management practices. CMEK is often the cleanest way to demonstrate them.
Government and defense – FedRAMP High, CJIS, and NIST SP 800-171 each push organizations toward customer-controlled keys for sensitive systems.
Legal – Law firms handling privileged client data or sealed records benefit from CMEK’s revocation control. So do firms holding healthcare or financial records under retainer.
Cross-border data sovereignty – If your data must stay inside a particular jurisdiction, CMEK can prove that the vendor cannot decrypt it outside that boundary.
High-stakes matters – Major M&A diligence, government investigations, and IP litigation often involve data that the parties want completely segregated from vendor staff.
When is CMEK overkill?
CMEK has real overhead. It is not the right tool when:
- Your team has no dedicated security or compliance staff
- Your workflow does not touch regulated or highly sensitive data
- The vendor’s default encryption already meets your compliance needs
- The work is internal only with no third-party data involved
The cost is operational. You manage the key lifecycle. A lost key can lock out your own data permanently. If your threat model does not require that control, CMEK is not the right answer.
How CMEK works at TitanFile
TitanFile offers CMEK as part of its enterprise security stack. Customers in healthcare, legal, financial services, and government use it when their compliance or risk teams require it.
Files are protected by AES-256 encryption in transit and at rest. The customer’s master key, held in the customer’s own KMS, wraps the data encryption keys. The customer can audit every key access request and revoke vendor access at any time.
CMEK sits on top of TitanFile’s standard controls. Those include SOC 2 Type II and ISO 27001 certifications, MFA, granular access, audit logs, geographic data residency options, and a Business Associate Agreement for healthcare customers.
If your compliance team has asked about CMEK, book a demo to walk through deployment. You can also start a 15-day free trial to see the platform first.
FAQs about CMEK (Customer-Managed Encryption Keys)
What does CMEK stand for?
CMEK stands for Customer-Managed Encryption Keys. The customer owns and controls the encryption key. The vendor stores the encrypted data.
What is the difference between CMEK and BYOK?
BYOK (Bring Your Own Key) lets the customer import a key into the vendor’s KMS. The vendor still holds and uses it. CMEK keeps the key in the customer’s own KMS at all times, so the customer can revoke access without coordinating with the vendor.
Does HIPAA require CMEK?
The current HIPAA Security Rule does not name CMEK. It requires that ePHI be protected, and encryption is the most reliable way to meet that. Many covered entities choose CMEK to make compliance auditable and to keep revocation control in their own hands.
How often should CMEK keys be rotated?
Most regulated organizations rotate keys at least once every 12 months. Some industries require shorter periods. Automated rotation in your KMS makes this easier to manage.
Bottom Line
Customer-managed encryption keys let you keep control of your data even when a vendor stores it. CMEK is not the right answer for every workflow. For regulated industries handling healthcare, financial, government, or sensitive legal data, it has become a near-standard requirement. Decide which of your data sets really need that level of control. Then choose vendors that support CMEK on the platforms that matter.