KeySafe KMS Technical Requirements

These KeySafe KMS Technical Requirements (“KMS Technical Requirements”) apply to Customer’s purchase and use of KeySafe KMS, and Customer understands and acknowledges that in order to achieve a successful and trusted enterprise key management deployment and maintenance, there are on-going requirements that it needs to meet. Failure to undertake these requirements may result in failure of Customer’s KeySafe KMS and Box assumes no liability for any such failure by Customer.


Box may change these KMS Technical Requirements at any time by posting an updated version here, and such updates will be effective upon posting.


General Requirements

Customer must take reasonable steps to ensure that the Customer-owned key encryption keys (“C-KEKs”) are properly protected.



Third-Party Providers

  1. In consultation with the Box consulting team (“Box Consulting”), Customer must contract with a Box KeySafe-approved Hosting Partner to achieve high availability and durability of the C-KEKs.  For the avoidance of doubt, KeySafe KMS can only be hosted with a Box KeySafe KMS-approved Hosting Partner. 
  2. Customer is required to maintain a separate and unique Box-approved KeySafe KMS- Hosting Partner account specifically dedicated to KeySafe KMS. For clarity, such account may not be utilized for any purpose other than KeySafe KMS.
  3.  Customer is required to purchase and maintain support from the Box-approved Hosting Partner for KeySafe KMS. 
    • For AWS as the Hosting Partner, Customer may choose to purchase from AWS either Enterprise or Business Support as described here ( at all times while using KeySafe KMS with AWS as a Hosting Partner.
  4. Customer is required to maintain dedicated encryption key(s) in KeySafe KMS solely for the purpose of encryption and decryption operations performed by Box. For clarity, KeySafe KMS encryption key(s) must not be shared with other applications or services for encryption and decryption


Customer Information

Enabling KeySafe KMS on a Customer's instance of the Box Service requires Customer to provide certain information to Box to enable setup and support for KeySafe KMS, including but not limited to: 

  • Encryption KeyID
  • Access Key
  • Secret Access Key


Data Center Requirements

  1. As of the current version of these KMS Technical Requirements, Customer is required to provision KeySafe KMS in either: (i) AWS us-west-1 region; or (ii) AWS us-west-GovCloud (collectively, “KeySafe Service Provider Hosting Locations”).
  2. In the event Box relocates the Box data centers within the United States, and in order to maintain KeySafe KMS functionality and performance, Customer may be required to transition KeySafe KMS to a hosting location in close proximity to the relocated Box data centers within sixty (60) days of written notice from Box.
  3. Customer shall engage with Box Consulting prior to migration between any KeySafe Service Provider Hosting Locations.  All such migrations require the assistance of Box Consulting and the separate purchase of professional and training services from Box.

Log Aggregation Tool

In order to purchase and use KeySafe KMS, it is recommended that Customer own and maintain a log aggregation tool (“Aggregation Tool”), and consume the KeySafe KMS logs through that Aggregation Tool.



Box Functionality

Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS.


  1. As of the current version of these KMS Technical Requirements, Box Service functionality limitations include:
    • Full text search of the files needs to be disabled
    • Any 3rd party eDiscovery integration that relies solely on Box Search APIs
    • KeySafe KMS is not encrypting comments, descriptions and metadata with C-KEKs
    • Migration off of the Box Service:
      • Customers using KeySafe KMS will have their files rekeyed to the non-KeySafe version at a rate of approximately 100 files per second. Box will make reasonable efforts to rekey files as quickly as possible given this limit.
  2. Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.
Version history
Revision #:
1 of 3
Last update:
‎05-21-2018 04:55 PM
Updated by:

More in this guide:

Go to Guide