- Set up BYOK
- Deactivate BYOK and go back to using DeepL's managed keys again
- Leave DeepL and prohibit access to by data
DeepL's Bring Your Own Key (BYOK) solution allows you to use your Amazon Web Services (AWS) Customer Managed Key (CMK) for encryption operations within DeepL's internal network. This feature provides you with enhanced security and control over your data stored at rest within DeepL's services.
As a DeepL customer, you can configure a CMK in your AWS KMS (Key Management System). You will then write and attach a policy that grants DeepL's AWS account permission to use your key for encryption and decryption operations. Once these resources are set up, you can enter the Amazon Resource Names (ARNs) in the Settings tab of your DeepL admin account profile. This will enable DeepL's services to derive encryption keys from your CMK that will then be used for encryption of the following features:
- Saved translations
- Glossaries
Set up BYOK
- Create a CMK in AWS KMS
- Contact DeepL Support for DeepL's AWS Account ID
- Attach a policy to the key to grant DeepL access (replace <DeepL_Account_Id> with the actual account id):
{
“Sid”: “Allow the DeepL AWS Account to use this KMS key”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::<DeepL_Account_Id>:root”
]
},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”
],
“Resource: “*”
} - Go to the BYOK sections in the Settings tab of your DeepL account
- Enter your Key ARN and Key Region
Deactivate BYOK and use DeepL's managed keys again
- Go to the Encrypted data at rest-Bring your own key (BYOK) section in the Settings tab of your DeepL account
- Remove the ARN key
- Remove the policy in AWS
Make sure you remove the key ARN in DeepL before deleting the policy! Otherwise we will not be able to decrypt your data.
Leave DeepL and prohibit access to my data
Remove the policy in AWS. Shortly after removing the policy, our caches will be invalidated and we will no longer be able to decrypt your data.