Part 3: Encryption Technology

Your key NEVER exists as a whole

Our patented technology, Distributed Fragments Cryptography™ (DFC), enables us to perform cryptographic operations using fragments of an encryption key, without EVER combining the key fragments. As illustrated below, this technology allows Akeyless to store fragments of an encryption key in different regions on different cloud providers, and never combine those fragments.


Fragments of a single Encryption Key that are stored in
different cloud providers and are NEVER combined

Q: So you're basically using key-split? Shamir's secret sharing?

  • Answer: NO. We're definitely not. The known weakness of any split method is that whenever you wish to encrypt/decrypt any data, you MUST combine the fragments of the key. When you do so, a malicious attacker could potentially gain access to your constructed key, and then - your key is compromised. It's game over. This is why, using Akeyless DFC, the key is never constructed, not even during the encryption/decryption process, meaning, the key never exist as a whole.

Key Fragments are constantly refreshed

An encryption key is basically a very high numeric value. Let's say that fragments of that value would have the sub-value of X, Y, and Z, where X+Y+Z equals the key. Now, assume that for every period of time, the X, Y, and Z values are changing to A, B, and C, where A+B+C = X+Y+Z = the Key. This would mean that a malicious attacker who wishes to access our key would need to access all of the key's fragments simultaneously, in a simultaneous attack vector.

We use Zero-Knowledge Encryption for your Keys and Secrets

The missing piece of that puzzle is - who can access the key fragments? Some may say, that though DFC doesn't allow cloud providers to have access to the whole key, Akeyless itself has the ability to construct the key whenever it wishes, since it manages the key fragments infrastructure.

Well, they're basically right, but, they can also be completely wrong.

Since Akeyless DFC enables Akeyless to perform cryptographic operations WITHOUT EVER COMBINING the encryption key, one of the key fragments can actually be on the customer's environment, where Akeyless has no access. This means that Akeyless, as a service provider, won't be able to decrypt any data that is encrypted by our customers (who hold one of the key fragments). The reason is simple: we don't have access to your fragment.

Therefore, in order to enable Zero-Knowledge Encryption, all you need is your own Customer Fragment.


Fragments of a single Encryption Key that are managed by Akeyless
while a single fragment is stored in the customer's environment