Enterprise Security

Bring Your Own Key

Take complete control of your data encryption. Use your own KMS key to encrypt sensitive data, with the kill switch staying in your hands.

Why BYOK?

BYOK lets enterprise customers provide their own encryption key through their cloud KMS (Key Management System). Your data is encrypted using your key, while you maintain complete control through your KMS infrastructure.

Complete Control

Retain full ownership of your encryption keys with instant revocation capability

Compliance Ready

Meet regulatory requirements for data sovereignty and key management

How It Works

1You create a key in your cloud KMS and grant Shortcut secure access
2Shortcut uses envelope encryption to protect your data with your KMS key
3All encryption keys are protected by your KMS—we never store plaintext keys
4Your data is encrypted and decrypted using industry-standard AES-256-GCM
5You retain full control—revoking KMS access instantly makes your data inaccessible

Architecture: We use envelope encryption with your KMS key as the master key. Without access to your KMS, encrypted data cannot be decrypted by anyone—including Shortcut.

Supported Providers

AWS

AWS KMS

Integrate with AWS Key Management Service for symmetric encryption.

  • Symmetric keys (AES-256-GCM)
  • Cross-account IAM role access
  • Automatic key rotation support
Azure

Azure Key Vault

Use Azure Key Vault with RSA keys for enterprise encryption.

  • RSA 2048/3072-bit keys
  • Service principal RBAC access
  • Key versioning support

Encryption & Performance

Industry-Standard Encryption

  • AES-256-GCM encryption algorithm
  • Client-side encryption for maximum security
  • Web Crypto API Browser-based

Fast & Efficient

  • Minimal performance impact (~20ms for 5MB files)
  • Works seamlessly with your existing workflow
  • No additional setup for end users

Setup Overview

After purchasing an enterprise plan, team admins can configure BYOK from the Security settings:

1Create a KMS key in your cloud provider
2Grant our service principal access (IAM role or RBAC)
3Enter your key details in Shortcut's admin panel
4We validate the setup and generate a test DEK
5All new files are automatically encrypted with your key

Ready to get started?

Contact our enterprise sales team to learn more about BYOK and how it can secure your organization's data.

Contact Enterprise SalesLearn about SSO