Key Management
3 min read
Repeatedly clients and Unique are confronted with the same challenge: Can clients bring (and hold) their own keys to their Single Tenants?
This page explains, why that is not possible and which options exist.
Big Picture
Long story short: Clients can not hold their own keys in the Single Tenant model.
The main limitation is Data encryption at rest in Azure Database for PostgreSQL which clearly dictates that both key and server must be within the same Azure tenant.
Clients desiring full control over their key must opt to self-host Unique – either managing it themselves or leveraging Uniques Forward-Deployed Solution Engineering (Unique maintains and runs it in the clients Azure tenant).
Glossary
Term | Relevance within this page |
|---|---|
Application Layer | Refers to workloads from Unique deployed onto Azure like the Chat. |
Infrastructure Layer | Refers to resources provided within Azure, like the PostgreSQL server or Storage Accounts. |
PMK – Platform Managed Key | Azures native key model where Microsoft manages the key lifecycle under the hood. https://learn.microsoft.com/en-us/azure/security/fundamentals/key-management |
CMK - Customer Managed Key | Azures support for clients to bring their own keys, mainly from Azure Key Vaults. |
Cross-Tenant CMK (Customer Managed Key) | The key for CMK comes from another Azure Tenant than Uniques. |
Application vs Infrastructure Layer
This document does purely elaborate on Infrastructure.
Unique Application does not support any form of key management – while certain data naturally is encrypted according to Unique's policies and implementation, there is no encryption at application layer in general.
PMK - Platform Managed Keys
Unique doesn’t use PMK anywhere. Unique always leverages CMK for all deployment types both Multi- and Single-Tenants!
Other (Primary) Key Infrastructure (PKI)
Other PKIs are neither natively supported by Azure nor Unique (e.g. Thales).
Uniques Data in short
Unique stores its data in three places which are outlined many times throughout this documentation and not further elaborated:
https://azure.microsoft.com/en-us/products/postgresql/ – Flexible
https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview
What are BYOK, CYOK and HYOK?
BYOK (Bring Your Own Key), CYOK (Control Your Own Key) and HYOK (Hold Your Own Key) are three approaches to managing cryptographic keys used to encrypt and decrypt data stored in the cloud. They differ in where the encryption keys are generated and stored, who can access them, and how much control the organisation retains over their lifecycle.
Term | Who holds the key towards (CMK)? | Meaning for Single-Tenant clients of Unique | Possible & Solves key requirement |
|---|---|---|---|
BYOK | Unique | Customer generates keys and Unique imports them into they Key Vault. | Possible, doesn’t solve requirement that client controls key |
CYOK | Client | Customer generates and controls keys, never exposed in clear to the provider. Keys may be hosted in a customer-controlled HSM or isolated enclave. Provider sees handles or wrapped keys only. | Not possible, Azure natively offers CMK from its own Key Vault implementation where all key operations are handled under the hood. |
HYOK | Client | Customer holds keys entirely outside the provider boundary. The cloud calls an external key system or the data is encrypted and decrypted only in customer-controlled environments. | Not possible, Azure Database for PostgreSQL does not support cross-tenant encryption! |
Storage Locations
Location | Data in short (non conclusive) | Supports “Cross-Tenant CMK” |
|---|---|---|
https://azure.microsoft.com/en-us/products/postgresql/ – Flexible | Chats, Messages, Spaces, Prompts, etc. | No ❌ |
https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview | Documents from Connectors mostly. | |
https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview | Search vector data mostly (QDrant and ElasticSearch) |
Summary
No option exists as of May 2026 where a client can bring and hold multiple keys to Unique to encrypt storage locations of all data used by a Unique Single Tenant!
Proposed solution
Clients, that need full control over their data and its encryption keys must self-host Unique.