Skip to main content

Cloud-Managed Secret Encryption and BYOK

Available starting in release 26.1

This page describes the new cloud-managed encryption architecture used to protect customer secrets within the Forward SaaS platform.
The update enhances data security, simplifies management, and allows enterprise customers to optionally control their own encryption keys.

Overview

Forward uses a centralized, cloud-managed encryption system to securely store all customer secrets, such as device credentials used during data collection.
This new approach replaces the older, collector-specific encryption model, improving both security and flexibility.

Under the new design, collectors are stateless — any collector within an organization can securely access the credentials it needs, without being tied to a specific encryption key.
This simplifies device reassignment, improves operational resilience, and ensures credentials remain protected even if a collector is replaced or redeployed.

Forward-Managed Encryption Model

All secrets are encrypted using a centralized key management service powered by AWS Key Management Service (KMS).
AWS KMS provides strong, audited cryptographic protection and ensures that no encryption keys are ever stored in plaintext by Forward services.

Forward uses a standard cloud security technique called envelope encryption — a widely adopted best practice in SaaS and cloud environments (AWS KMS documentation).

note

In Forward-Managed Encryption Model, the master key is issued and managed by Forward within AWS KMS.

How It Works

  • Each customer organization is assigned a unique Data Encryption Key (DEK) that is used to encrypt their secrets.
  • The DEK is not stored in plaintext; it is itself encrypted (or “enveloped”) using a master key managed by AWS KMS.
  • When customer secrets need to be decrypted, Forward first requests AWS KMS to decrypt the DEK using the master key. Only after obtaining the plaintext DEK can the secrets be decrypted.
  • At no point are customer master keys stored, cached, or handled directly by Forward.

This layered approach isolates customer data cryptographically while centralizing key management for improved durability and security.

Key Benefits

  • Improved Security – Encryption keys are centrally managed and protected by AWS KMS, reducing risk of local key loss or compromise.
  • Operational Flexibility – Stateless collectors can serve any device within an organization, simplifying scaling and maintenance.
  • Cryptographic Isolation – Each customer’s data is protected by a unique key, ensuring strong tenant separation.
  • Auditability – All key operations are tracked within AWS KMS and visible through AWS CloudTrail.

Enterprise Option: Bring Your Own Key (BYOK)

For customers with advanced security or compliance requirements, Forward offers an optional Bring Your Own Key (BYOK) capability.

important

To enable the BYOK encryption model, customers should contact Forward Support for assistance with setup and configuration.

How It Works

With BYOK, a customer creates and manages their own encryption master key in their own AWS account.
Forward is granted limited permission to use this key for crypto operations.

  • When secrets are encrypted, Forward requests AWS KMS to generate a DEK using the customer's master key, which is then used to encrypt the actual secrets.
  • The DEK is stored in encrypted form, protected by the customer’s master key.
  • When decryption is required, Forward must call AWS KMS to decrypt the DEK — requiring active permission from the customer’s AWS account.

This ensures that the customer’s master key always remains under their control and never leaves their AWS environment.

Customer Control

  • Customers retain full control of their master key — it never leaves their AWS environment.
  • All key usage by Forward can be audited through AWS CloudTrail.
  • Customers can revoke access at any time to immediately disable decryption of customer secrets within Forward.

Benefits of BYOK

  • Full Ownership of Encryption Keys – Ideal for organizations with strict compliance policies or internal security mandates.
  • Transparency and Auditability – Monitor and verify every key access via AWS audit logs.
  • Easy Integration – Uses standard AWS KMS permissions and APIs without custom software or hardware.