About KeySafe

Note: Multi-region AWS KMS is available if you provide your multi-region AWS KMS and give Box permission to use your backup and primary keys.

KeySafe and Box functionality

Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS. This section codifies specific limitations and supported scenarios when using KeySafe with Box.

KeySafe file encryption

Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.

Known limitations

This section describes Box functionality limitations when using KeySafe:

Box AI and file content: File content processed by Box AI is decrypted securely at query time using customer-managed keys, so individual file content remains under KeySafe protection.

AI session data: AI session data and related metadata are not currently KeySafe-compatible.

Vector store and search capability: The vector store and search capability that power Box AI are not currently KeySafe-compliant.

Box AI for Hubs embeddings: Vector embeddings for Box AI for Hubs are encrypted with Box-managed keys, not customer-managed keys. Customers can disable Box AI for Hubs if desired.

Full-text search: Full-text search indexes are encrypted with Box-managed keys. Customers can disable full-text search if desired.

Metadata: Comments, descriptions, and Metadata are encrypted with Box-managed keys.

Migration from Box

If a customer decides to disable KeySafe, their files will be re-encrypted using Box’s standard encryption keys. This process replaces the customer-managed encryption keys with Box-managed encryption keys at a rate of approximately 100 files per second.

​KeySafe and Box functionality

​KeySafe file encryption

​Known limitations

​Migration from Box

​See Also

KeySafe and Box functionality

KeySafe file encryption

Known limitations

Migration from Box

See Also