Everyone's fine with "secure" in a feature list. Nobody thinks about what that actually means until the day their stuff gets breached. Then they become very, very interested in the specifics.
This article is about what's underneath the word "secure" in IBYOK. Specifically: AWS KMS encryption, both at rest and in transit, and why that's the baseline every serious key vault has to hit. Skip this page if you trust the word "encrypted" to do the work. Read it if you want to know what's actually happening to your API keys between you hitting "save" and your app fetching them later.
What KMS actually is
AWS Key Management Service is a managed service that handles the cryptographic operations most applications need: generating encryption keys, encrypting data, decrypting data, and doing all of it without exposing the underlying keys to the application. The service itself lives inside AWS's hardened infrastructure, with physical access controls, audit logging, and the kind of compliance stack that satisfies SOC 2 and HIPAA auditors.
When IBYOK stores your OpenAI key, it's not storing the raw key in the database. It's storing the encrypted version of the key, with the encryption key itself managed by KMS. That means even if an attacker got direct access to the IBYOK database — the worst-case scenario short of a full AWS breach — they would see encrypted blobs, not your actual keys. The plaintext keys don't exist in the database at all.
That's encryption at rest: your keys are ciphertext in storage, and the decryption capability is gated by KMS. Decryption only happens in memory, transiently, when your app fetches a key. Once the response is sent, the plaintext version is gone.
Encryption in transit
The other half is what happens when your keys move. When you save a new key to IBYOK, the connection from your browser to the server is TLS 1.3. When your app fetches a key via the REST API, same thing — TLS, end-to-end. Nobody sitting between your laptop and the server can read the traffic, even if they're on the same coffee shop WiFi.
This sounds obvious, but it's worth being explicit about. A surprising number of older internal tools still pass credentials over plain HTTP on local networks, and a lot of "secure" vaults have historically gotten tripped up by a misconfigured cert or an outdated TLS version. Modern TLS with KMS-backed encryption is table stakes for any serious key storage system, and IBYOK doesn't cut corners on either.
The "bring your own keys" principle
The name IBYOK — "I Bring Your Own Keys" — reflects a design principle. You retain ownership of your API keys at every step. IBYOK doesn't proxy your API calls, doesn't forward them through its own servers, doesn't inject its own middleware into your provider traffic. The keys live in your vault; your app fetches them; your app uses them directly against the provider.
This matters because it means IBYOK can't see your prompts, your responses, your usage patterns, or your data. It's a dumb vault. That's the correct behavior. Key managers that proxy API traffic look convenient but create a huge privacy liability — you're handing a third party visibility into every conversation your app has with every LLM. That's not a tradeoff most builders want to make.
IBYOK stays out of the data path. It's a place to store keys and hand them back to you when asked. Nothing more. The security model is simpler and the attack surface is smaller, both of which are features.
KMS-backed encryption, TLS in transit, keys you own.
Why "just roll your own" is worse
I hear this from technical builders: "Why wouldn't I just encrypt my keys in a file with GPG?" It's a fair instinct and a bad idea. Here's why.
Rolling your own encryption is a classic security footgun. The primitives are easy; the operational details are where everyone gets it wrong. Key rotation — how do you update the master key? Access control — who has permission to decrypt? Auditing — how do you know who accessed what? Disaster recovery — if you lose the master key, do you lose all your keys? These are solved problems at the infrastructure level (KMS handles them), but most DIY setups miss one or more.
IBYOK gets these right because it's using KMS, which gets them right because it's AWS's core service and it's been battle-tested at scale. "Use the thing that's already correct" is the right strategy for a layer you don't want to think about. You're not going to out-engineer AWS on cryptography. Nobody is.
The compliance angle (if you care)
If you're building a product that will eventually talk to enterprise customers, this paragraph will matter to you someday. Enterprise buyers — especially in regulated industries — ask about your secrets management. "We encrypt at rest with AWS KMS and in transit with TLS 1.3" is an answer that closes deals. "We store keys in a .env file on our server" is an answer that loses them.
You don't need to be at that stage to benefit from having the right answer ready. Build on the KMS-backed vault from day one and you won't have to retrofit secrets management when a compliance questionnaire shows up. The cost of doing it right at the start is near-zero. The cost of doing it wrong and fixing it later can be an entire sprint.
What this doesn't solve
KMS encryption is a floor, not a ceiling. It protects keys from database-level breaches. It does not protect keys from mistakes in your own application. If you log API keys to a file, encryption at rest doesn't help. If you expose an endpoint that dumps all your keys, encryption in transit doesn't save you. The part that's yours is still yours to get right.
But the part that's shared — the storage layer, the transport layer, the key management primitives — is offloaded to infrastructure that's designed for exactly this purpose. That frees you up to focus on the part of security that's unique to your app, instead of re-implementing the generic stuff from scratch.
The honest summary
Encryption sounds boring. It is boring. Boring is the correct affect for infrastructure that protects your business. The moment encryption becomes interesting is usually the moment you wish it had been boring.
IBYOK uses KMS because KMS is the boring, correct, battle-tested choice. You don't have to think about it. You don't have to configure it. You just know that your keys are encrypted the way they're supposed to be encrypted, and you can spend your attention on the parts of your stack that actually differentiate you.
That's the feature. Not the encryption itself — the fact that it's handled, and you can stop thinking about it forever.
— Jeff
KMS-backed encryption. TLS everywhere. You keep ownership of your keys.