Box KeySafe

Manage your own encryption keys


Complete control of your data privacy in the cloud

With Box KeySafe, you have complete, independent control over your encryption keys — with no impact to the user experience.  All key usage is unchangeable and includes a detailed record of key usage, so you can track exactly why your organization’s keys are being accessed.  And if you ever experience suspicious activity, your security team can cut off access to the content at any time. 

met police
upload file

Upload file

Easily upload your files to Box

encrypt with box key

Encrypt with Box key

There's no impact on the usability, mobility, security or governance provided by Box


Encrypt with your key

Box can never see or access your encryption keys, so you're always in control of your content


Update Audit log

You are the legal custodian of the keys that encrypt your content

Box KeySafe with AWS

Box KeySafe with AWS Key Management Service

This is the simplest, most cost-effective solution for customer-managed encryption for Box. KeySafe with AWS Key Management Service enables you to control your encryption keys by leveraging a software service — Key Management Service (KMS) from Amazon Web Services (AWS).

Box KeySafe with AWS KMS Custom Key Store

With this option, Box customers can manage their own encryption keys using a simple-to-use AWS KMS interface - while storing encryption keys in AWS CloudHSM.  KeySafe with AWS KMS Custom Key Store can be used to meet any security and compliance requirements for private key storage, without the operational overhead of managing on-premise hardware. 


Box KeySafe with AWS GovCloud

Box KeySafe with AWS GovCloud lets agencies ensure compliance with ITAR/EAR, CJIS or IRS-1075 requirements as they move highly-sensitive workloads into the cloud. This offering leverages Amazon Web Services (AWS) Key Management Service (KMS) in the AWS GovCloud region, and enables government agencies and organizations that work with the U.S. government to gain independent control over their content encryption keys. 

Government and contractors

KeySafe with AWS GovCloud enables government agencies and government contractors to gain independent control over their content encryption keys for content that has citizen-only and ITAR requirements.

Media, tech and life sciences

Unreleased screenplays, top-secret designs, and patents to a new drug are among the most valuable assets you have. At the same time, to bring your ideas to market, these assets need to be shared with your contractors, partners, and vendors. Use KeySafe to stay in stay in control of sensitive IP that is shared widely throughout your ecosystem of partners and contractors.

Law, financial and professional services

Clients of your firm entrust you with their most sensitive content and bank on their data being safeguarded from unauthorized third party access.  Use KeySafe to meet your ethical and legal obligations for protection of client data by putting appropriate controls in place to prevent and turn off access to documents, and minimize the reputation risk associated with someone else looking at your clients' data. 

Key Features

IT teams, regardless of size, can deploy KeySafe within a few days


Affordable for customers all sizes, unlike other encryption services for cloud content

Log correlations

Reason codes that identify why keys are being used and correlate to Box events allow complete visibility

Availability and durability

Customer keys are housed by our partner, AWS, in systems that are designed with 99.99999999% durability and deployed in multiple availability zones within a region

Key rotation support

Premier Services will work with the customer to rotate their KeySafe keys, if they choose to rotate their keys with AWS. Premier services will also work with the customer to trigger backfill processes to ensure that all Box content is re-encrypted against the new key

Key Security

Customer keys are never stored in plaintext on disk with no keys held in memory

Forrester: Regain control with Box KeySafe

This Forrester report evaluates customer-managed keys in the cloud, and how Box KeySafe is shaking up multiple enterprise software markets. 

On-Demand webinar: Own Your Keys to the Cloud

With recently announced Box KeySafe, you can now take advantage of content collaboration in the cloud while maintaining independent control over the encryption keys that protect their content.

Manage your own encryption keys with Box KeySafe