• United States



Box offers customers better data protection with Enterprise Key Management

Feb 13, 20153 mins

One of the most effective ways to protect data is to encrypt it so that only those with the proper keys can decrypt or access it. It’s also important to control who has access to those keys. Box Enterprise Key Management is a new offering from Box that enables customers to manage and control their own encryption keys.

Box has encrypted customer data all along. Data is encrypted in transit to prevent it from being hijacked or intercepted. Data is encrypted on the Box servers to prevent unauthorized access. Box also maintains ownership of those encryption keys, which is a problem for some companies.

Some industries have strict regulations in place and compliance requirements that prevent companies from moving to a cloud storage solution like Box. Aaron Levie, co-founder and CEO of Box, explained in a blog post why this is an issue. “This has unfortunately led many large businesses to stay with on-premises systems to manage their critical content and information, reducing mobility and easy collaboration, and keeping enterprise IT architectures stuck in the past.”

Box EKM removes that final barrier to cloud adoption. Box EKM customers get their own hardware security module (HSM) from SafeNet—a dedicated appliance that protects the encryption keys. The appliance is hosted in the cloud through Amazon Web Services with another HSM in the customer’s local datacenter, as a backup. The customer is responsible for managing the HSM. Box can only access files for customer-approved requests, and a secure log of all encryption key transactions is maintained as an audit record.

Levie lists six benefits of Box EKM:

  1. Exclusive key control – Box can’t see the customer’s key, can’t read it or copy it.
  2. Unchangeable audit logs – Customers maintain exclusive control over the logs of key usage
  3. Preserves cloud benefits – Simple access across devices, frictionless sharing, file preview, AV scanning, and much more.
  4. No decrypted files or keys on disk – All encryption / decryption in memory only.
  5. Reliable and protected key infrastructure – Protected by SafeNet Hardware Security Modules
  6. Data access transparency – for customers seeking greater control over their data and increased transparency into how the keys protecting their data are used.

I spoke with Rand Wacker, VP of enterprise products for Box. He explained to me that this is not simply a feature Box tacked on top of its existing service. Box has been developing Box EKM for a few years now. It was an arduous undertaking that involved rebuilding significant portions of Box code so the encryption is elegantly integrated end-to-end.

Box EKM is available in Beta right now. You can send an email to for more details.


Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.