DeepL's Bring Your Own Key (BYOK) solution allows you to use your Amazon Web Services (AWS) Customer Managed Key (CMK) for encryption operations within DeepL's internal network. This feature provides you with enhanced security and control over your data stored at rest within DeepL's services.
As a DeepL customer, you can configure a CMK in your AWS KMS (Key Management System). You will then write and attach a policy that grants DeepL's AWS account permission to use your key for encryption and decryption operations. Once these resources are set up, you can enter the Amazon Resource Names (ARNs) in the Settings tab of your DeepL admin account profile. This will enable DeepL's services to derive encryption keys from your CMK that will then be used for encryption of the following features:
- Saved translations
- Glossaries
Set up BYOK
- Create a CMK in AWS KMS
- Contact DeepL Support for DeepL's AWS Account ID
- Attach a policy to the key to grant DeepL access (replace <DeepL_Account_Id> with the actual account id):
{
“Sid”: “Allow the DeepL AWS Account to use this KMS key”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::<DeepL_Account_Id>:root”
]
},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”
],
“Resource: “*”
} - Go to the BYOK sections in the Settings tab of your DeepL account
- Enter your Key ARN and Key Region
Deactivate BYOK and revert to DeepL's managed keys
- Contact DeepL Support and ask for your key to be removed
- After DeepL Support confirms that the key has been successfully removed, remove the policy in AWS
Leave DeepL and prohibit access to my data
Remove the policy in AWS. Shortly after removing the policy, our caches will be invalidated and we will no longer be able to decrypt your data.