19.1 Bring Your Own Key (BYOK)
Released in March 2025 (as of March 3, 2025), BYOK (Bring Your Own Key) allows organizations to replace Zoho's default Key Encryption Key (KEK) with their own encryption key managed externally. This gives the organization direct control over the encryption and decryption of their Creator field data (BYOK Encryption in Creator).
Scope of BYOK encryption:
- All fields with the "encrypt data" property enabled
- Media fields: file uploads, images, signatures, audio, video
Supported external Key Management Services (KMS):
- Google Cloud Key Management Service
- AWS Key Management System (KMS)
- Thales CipherTrust Manager
- Fortanix Data Security Manager
Navigation: Governance → Encryption (BYOK) tab → Configure Your Key (redirects to Zoho Directory).
Important caveats:
- BYOK is available on paid plans only, upon request to the support team.
- Permanent deletion of a BYOK key renders associated DEKs unrecoverable; encrypted data remains in the Zoho database but is inaccessible.
- Only Super Admins and Admins can manage BYOK keys.
- Removing the configured key automatically restores Zoho's default encryption.
19.2 Bring Your Own Credentials (BYOC)
Covered in Section 10.3. BYOC applies to connection authentication for built-in connectors and provides organizations with dedicated, organization-owned OAuth credentials for third-party integrations, eliminating shared API quota limitations.