A Key Management Service (KMS) is the cloud control plane for creating, rotating, and auditing cryptographic keys. AWS KMS, Google Cloud KMS, and Azure Key Vault are common choices. Enterprises standardize on one KMS per environment so IAM, logging, and HSM-backed keys stay consistent.
KMS integrates with envelope encryption patterns: applications request data keys, KMS returns plaintext and ciphertext blobs, plaintext is used immediately then discarded, ciphertext is stored. For BYOK tokenization, KMS holds the KEK that wraps provider DEKs.
KMS permissions must be least-privilege. Overly broad unwrap rights for CI service accounts have caused breaches. Separate keys per environment (sandbox vs production) and per regulatory boundary.
Veliro documents supported KMS providers and IAM policies for BYOK. Your security team keeps custody of the KEK; Veliro operates token APIs and scheme connectivity without standing access to unwrap production DEKs unless you grant it temporarily for support.
Cloud KMS audit logs should feed your SIEM with alerts on anomalous unwrap volume, credential vaults are high-value targets even when PAN never touches your app servers.