Enterprise

Bring Your Own Key (BYOK)

FORG Enterprise BYOK allows you to encrypt all stored telemetry and session data with a key managed in your own KMS. FORG holds no copy of the encryption key — data can only be decrypted while your KMS key is active and your IAM policy grants FORG access.

Supported KMS providers

  • AWS KMS (symmetric CMK)
  • Azure Key Vault (RSA or AES key)
  • Google Cloud KMS (symmetric key)
  • HashiCorp Vault (Transit secrets engine)

How BYOK works

  1. You create a KMS key and grant FORG's service identity encrypt/decrypt permissions
  2. FORG generates a data encryption key (DEK) per-org, wraps it with your KMS key, and stores only the wrapped key
  3. On each read/write, FORG calls your KMS to unwrap the DEK, uses it in memory, and discards it
  4. If you revoke FORG's KMS access or delete the key, all wrapped DEKs become permanently unreadable

Setup — AWS KMS

Step 1 — Create a KMS key

aws kms create-key \
  --description "FORG BYOK - your-org-name" \
  --key-usage ENCRYPT_DECRYPT \
  --key-spec SYMMETRIC_DEFAULT

# Note the KeyId from the response, e.g.:
# arn:aws:kms:us-east-1:123456789012:key/abc12345-...

Step 2 — Grant FORG access

# FORG's AWS service principal (provided during onboarding):
# arn:aws:iam::FORG_ACCOUNT_ID:role/forg-byok-role

aws kms create-grant \
  --key-id <your-key-arn> \
  --grantee-principal arn:aws:iam::FORG_ACCOUNT_ID:role/forg-byok-role \
  --operations Encrypt Decrypt GenerateDataKey DescribeKey

Step 3 — Configure BYOK in FORG

Go to Dashboard → Settings → Encryption → Enable BYOK:

KMS provider:  AWS KMS
Key ARN:       arn:aws:kms:us-east-1:123456789012:key/abc12345-...
Region:        us-east-1

FORG will perform a test encrypt/decrypt to verify access before activating BYOK. Existing data is re-encrypted with the new key during a background migration job (typically completes within 1 hour for Enterprise orgs).

Key rotation

You can rotate your KMS key at any time. FORG detects key rotation automatically via KMS key version tracking and re-wraps all DEKs under the new key version during a background job. No downtime or data access interruption occurs during rotation.

# Enable automatic annual rotation on your KMS key:
aws kms enable-key-rotation --key-id <your-key-arn>

Key revocation

Revoking FORG's access to your KMS key (by deleting the grant or disabling the key) will make all FORG data for your org permanently unreadable. This is a destructive, irreversible operation. Dashboard access will show an error and signal processing will halt until access is restored.

Warning: Key revocation is permanent if the key is deleted. If you intend to migrate to a new key, rotate (do not delete) the existing key first.

Compliance note

BYOK satisfies key custody requirements for ISO 27001 Annex A.10.1 and is compatible with HIPAA encryption requirements. The FORG SOC 2 Type II report documents the BYOK control implementation.

© 2026 UpgradIQ, Inc.Edit this page on GitHub