Tutorial

Encryption Key Management (BYOK)

Manage encryption keys for sensitive data at rest. Community and organization-level BYOK allow you to bring your own encryption keys and control key rotation policies.

Note: Encryption key management (BYOK for data encryption) is available on Organization Community, Org Dedicated, and On-Premise deployments. Community (personal) accounts do not support key management.

Understand the three tiers of encryption key management

Community Site (Shared Multi-Tenant)

Data encryption at rest uses Elis-managed keys. End-to-end encryption in transit (TLS) is always on. No BYOK configuration available. This tier is suitable for general use and non-sensitive workloads.

Organization Community (Org-Scoped Shared)

Your organization's data is isolated at the row level within a shared database using company_id boundaries. You can enable BYOK for conversation data — providing your own AES-256 encryption key for all messages, attachments, and conversation metadata stored in the database. Elis stores only the encrypted ciphertext; your key is used only for encryption/decryption on your servers.

Dedicated Cluster (Single-Org Isolated)

Your organization runs in an isolated container stack with a dedicated PostgreSQL database. BYOK is required — you manage the encryption key for all data at rest. You control key rotation, backup, and recovery. If you lose your key, Elis cannot recover your data.

Check if your organization is eligible for BYOK

Only organizations with Org Community or higher deployment can enable BYOK encryption.

To check your deployment tier:

Navigate to Organization Settings → Compliance Policies.
Look for Deployment tier — should show "Community" (shared) or "Dedicated" (isolated).
If you see a BYOK Configuration section, your org is ready.

If you don't see a BYOK section and want to enable encryption key management, contact sales to upgrade to Org Dedicated.

Generate or import your encryption key

BYOK requires a 256-bit AES key (32 bytes) in base64 format. You have two options:

Option A: Generate a new key (recommended for most users)

We provide a secure key generation tool. In Organization Settings → Compliance Policies → BYOK Configuration, click Generate New Key. The tool creates a cryptographically secure 256-bit key and displays it once. Save it immediately to a secure location — we do not retain copies.

Option B: Import your own key

If you manage keys in an external HSM, Key Vault, or Vault, you can provide a base64-encoded 256-bit AES key.

Format: a 32-byte key encoded as base64. Example (do not use in production):

2vryX+6TpPu7Z9wQx1a3c4DeFgHiJkLmNoPqRsT5UvW=

Enable BYOK and test the key

Once you have a key, enable BYOK in your organization:

Go to Organization Settings → Compliance Policies.
Find BYOK Configuration and click Enable BYOK.
Paste your base64-encoded key into the input field.
Click Test Key — the system encrypts and decrypts a test message to verify the key works.
If the test passes, click Save & Enable.

Important: Once BYOK is enabled, all new data will be encrypted with your key. Existing unencrypted data is not retroactively encrypted — only new conversations, messages, and attachments use the key.

Store your key securely

Once BYOK is enabled, your key is the only way to decrypt your data. Store it securely:

Option A (Recommended): Store in a managed key vault (Azure Key Vault, AWS KMS, Google Cloud KMS, HashiCorp Vault).
Option B: Store in your organization's password manager with restricted access (e.g., 1Password, LastPass with team sharing).
Option C: Hardware security module (HSM) for highly regulated environments (HIPAA, PCI-DSS, ITAR).

Document who has access to the key and establish a key rotation schedule (every 90 days is a common cadence).

Rotate your encryption key

Key rotation is important for security. Elis AI supports key rotation for BYOK-enabled organizations:

Generate or prepare a new 256-bit AES key.
In Organization Settings → Compliance Policies → BYOK Configuration, click Rotate Key.
Provide your current key (for decryption) and the new key (for future encryption).
Click Test Keys to verify both work.
Click Perform Rotation. The system:
- Reads all encrypted data using the old key.
- Re-encrypts it with the new key.
- Updates the organization config to use the new key for future operations.
Securely archive the old key and update your key management system with the new key.

Timeline: Key rotation typically takes 5–30 minutes depending on data volume. During rotation, conversations and searches may be slower.

What happens if you lose your key

If you lose your encryption key, Elis cannot recover your encrypted data. This is by design — Elis staff do not have access to your key or your encrypted data.

Recovery options:

If you have a backup: Retrieve the key from your key vault or backup system and re-enable BYOK with the correct key.
If you have no backup: You can disable BYOK and start fresh with Elis-managed encryption. This does not recover lost data — it only allows future data to be encrypted with Elis keys. Consult with your compliance and legal teams before taking this action.

Monitor and audit key usage

BYOK operations are logged in your organization's audit trail. To review:

Go to Company Settings → Audit Log.
Filter by action type "BYOK" or "encryption_key".
Review events for:
- Key enable / disable
- Key rotation
- Failed decryption attempts (may indicate a wrong key)

Tip:Best Practice: Implement key rotation on a regular schedule (every 90 days) and test recovery procedures in advance. Many regulations (HIPAA, PCI-DSS, ITAR) require documented key rotation.

Tip:Compliance Alignment: BYOK is a required control for HIPAA BAA coverage, PCI-DSS, and SEC DLP on Org Dedicated deployments. On Organization Community, BYOK is optional but recommended for regulated data.

Tip:On-Premise Deployments: If you are running Elis AI on-premise, encryption keys are stored in your local HSM or Vault. Refer to your on-premise deployment guide for key management procedures.