> ## Documentation Index
> Fetch the complete documentation index at: https://docs.box.com/llms.txt
> Use this file to discover all available pages before exploring further.

# About KeySafe

<div className="article_labels_list" style={{display: 'none'}} dangerouslySetInnerHTML={{__html: "Security , KeySafe"}} />

KeySafe is Box's key management service (KMS) that enables you to use your encryption keys to secure your content stored in Box. By leveraging customer-managed encryption keys, KeySafe provides:

* Independent key control
* Unchangeable audit log
* Content kill switch

KeySafe supports Amazon Web Services (AWS) KMS, Google Cloud Platform (GCP) KMS as well as both platforms' Hardware Security Modules (HSM), integrating seamlessly with existing workflows.

<Warning>
  **Note:** [Multi-region AWS KMS](/en/box-compliance/keysafe/enabling-keysafe-with-amazon-web-services#multi-region-aws-kms) is available if you provide your multi-region AWS KMS and give Box permission to use your backup and primary keys.
</Warning>

## KeySafe and Box functionality

Customer understands and acknowledges that certain functionality of the Box Service may be limited as a result of implementation of KeySafe KMS. This section codifies specific limitations and supported scenarios when using KeySafe with Box.

### KeySafe file encryption

Customer understands and acknowledges that KeySafe KMS encrypts file content uploaded to the Box Service, excluding Box Notes.

### Known limitations

This section describes Box functionality limitations when using KeySafe:

* **Box AI and file content**: File content processed by Box AI is decrypted securely at query time using customer-managed keys, so individual file content remains under KeySafe protection.
* **AI session data**: AI session data and related metadata are not currently KeySafe-compatible.
* **Vector store and search capability**: The vector store and search capability that power Box AI are not currently KeySafe-compliant.
* **Box AI for Hubs embeddings**: Vector embeddings for Box AI for Hubs are encrypted with Box-managed keys, not customer-managed keys. Customers can disable Box AI for Hubs if desired.
* **Full-text search**: Full-text search indexes are encrypted with Box-managed keys. Customers can disable full-text search if desired.
* **Metadata**: Comments, descriptions, and Metadata are encrypted with Box-managed keys.

### Migration from Box

If a customer decides to disable KeySafe, their files will be re-encrypted using Box's standard encryption keys. This process replaces the customer-managed encryption keys with Box-managed encryption keys at a rate of approximately 100 files per second.

### See Also

* [KeySafe KMS Technical Requirements](/en/box-compliance/keysafe/keysafe-kms-technical-requirements)
* [Enabling KeySafe with Amazon Web Services](/en/box-compliance/keysafe/enabling-keysafe-with-amazon-web-services)
* [Enabling KeySafe with Google Cloud Platform](/en/box-compliance/keysafe/enabling-keysafe-with-google-cloud-platform)