BYOK (Bring Your Own Key) lets you secure your Workspace data using an encryption key you manage in Amazon Web Services (AWS). Your organization keeps full control over how data is encrypted and who can access the keys, while Sketch manages the cloud infrastructure powering your Workspace.
BYOK is available on our Enterprise and Private Cloud plans. Enabling it is completely optional.
How it works
When you enable BYOK, we encrypt your Workspace using:
- An AWS KMS (Key Management Service) key
- An AWS IAM Role that grants Sketch permission to use that key
You create both the key and the IAM role in your own AWS account. Once they’re set up, enter the corresponding ARNs (Amazon Resource Names) in Sketch to activate encryption for your Workspace.
What to know before enabling BYOK
- We support multiple keys per Workspace. You can use more than one AWS KMS key if your organization needs it.
- You can’t turn off encryption. Once enabled, the only way to disable it is to delete every document in that Workspace.
- Files can only move between encrypted Workspaces. To transfer files between encrypted and non-encrypted Workspaces, download the documents and upload them to the destination Workspace.
