Prerequisites
- AWS account with permission to create KMS keys and IAM roles
- KnoxCall Owner or Admin role
Step 1: Create a symmetric KMS key
In your AWS account, create a new symmetric KMS key:Step 2: Create a cross-account IAM role
KnoxCall assumes a role in your account using STS. Create an IAM role with the following trust policy — replace<KNOXCALL_AWS_ACCOUNT_ID> with KnoxCall’s AWS account ID, shown in the BYOK setup wizard (Settings → Security → Tenant Master Key → Customer KMS → Set up BYOK, AWS step). The wizard also renders this exact trust policy ready to paste, with the account ID and your external ID already substituted.
If you prefer the API, the same value is available at:
<your-chosen-external-id> — you’ll enter it in KnoxCall. Using an external ID prevents confused-deputy attacks.
Attach this inline permission policy to the role, scoped to only the one KMS key:
Step 3: Onboard via admin UI
- Go to Settings → Security, find the Tenant Master Key card, click Customer KMS, then Set up BYOK
- Select AWS KMS and click Next
- Fill in:
- KMS key ARN — the full
arn:aws:kms:...ARN (or alias ARN) - Region — the AWS region where your KMS key lives
- Cross-account role ARN — the role you created in Step 2
- External ID — the UUID from Step 2
- KMS key ARN — the full
- Click Next to review, then Confirm + activate
Step 4: Onboard via API
No step-up verification is required for onboarding. KnoxCall runs a probe (wrap + unwrap on 32 test bytes) before writing anything — if the IAM grant isn’t working, the request fails immediately with400 and a plain message like KMS access denied. Check that the IAM/RBAC grant gives KnoxCall both Encrypt and Decrypt on this key. (or KMS probe failed. for other probe errors). If KMS itself is unreachable, you get 502 with KMS provider unreachable during probe. instead.
provider is "aws" (not "aws_kms"). A successful response:
rewrap_status is always "enqueued" — KnoxCall unconditionally issues a background rewrap lease after onboarding.
Step 5: Verify the configuration
config.sealed_since is null and the keys array contains one active version.
Session duration impact
Once BYOK is active, all agent sessions for this tenant have a 5-minute TTL instead of the default 1 hour. Self-hosted proxy agents will renew sessions more frequently — this is intentional to bound plaintext exposure if you later revoke KMS access. Ensure your agents are not configured with session renewal intervals longer than 4 minutes.
Revoking access (the kill switch)
To lock KnoxCall out of your tenant data:- Remove (or deny) the
kms:Decryptpermission from the IAM role — or detach the inline policy entirely. - On the next unwrap cache miss — within one cache TTL (1 hour) — KnoxCall will fail to unwrap and the tenant will enter the sealed state. New agent sessions stop being issued sooner: because BYOK caps session TTL at 5 minutes, no fresh plaintext exposure can be granted beyond that window.
Troubleshooting
AccessDenied during onboarding verify:
- Check the trust policy includes the correct KnoxCall AWS account ID (shown in the BYOK setup wizard’s AWS step)
- Verify
sts:ExternalIdin the trust policy matches what you entered exactly - Confirm the inline policy ARN matches the KMS key ARN (no typos)
NoCredentialProviders error:
- The KnoxCall principal ARN must appear in the trust policy’s
Principal.AWSfield - Ensure you saved the role after adding the trust policy
- Copy the role ARN directly from the IAM console — avoid hand-typing the account ID
- Check KMS key is not in a pending-deletion state:
aws kms describe-key --key-id <arn> - Verify the KMS key is in the correct region
GCP Cloud KMS setup
Service account impersonation for GCP
Sealed state and unseal
What to do when KMS becomes unreachable
Key rotation
Rotate to a new master key version
Tenant KMS API reference
Full endpoint reference