> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-ai-docs-migration-poc.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to enable Customer Managed Keys using the dashboard

# Configure Customer Managed Keys with the Dashboard

Auth0 secures your tenant secrets and data using an Auth0 Environment Root Key, at the top of the envelope encryption key hierarchy. The Auth0 Environment Root Key and Customer Provided Root Key are stored in the hardware security module (HSM) of the corresponding Auth0 Cloud Service Provider, AWS or Azure.

## Bring Your Own Key

Using Bring Your Own Key, users with the  [Key Management Editor role](/docs/get-started/manage-dashboard-access/add-dashboard-users) can use the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> to replace the default Auth0 Environment Root Key with their own Customer provided Root Key.

Customers can securely upload their own Root Key which contains their own cryptographic material to:

* Meet custom key generation and provenance requirements for the Environment Root Key.
* Meet specific key installation or lifespan requirements for the Environment Root Key.

<Warning>
  By importing your own Customer Provided Root Key with Bring Your Own Key, you are implicitly deauthorizing Auth0 from managing the lifecycle of the Customer Provided Root Key, except for its deletion.
</Warning>

To begin, go to Dashboard > Settings > Encryptions keys

<Frame>
  <img src="https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=dab0dd0c859ef636f06b247efff13e5a" alt="Dashboard > Settings > Encryption Keys" data-og-width="1162" width="1162" data-og-height="577" height="577" data-path="docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=280&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=230736ac7b96493a854302df1af067a6 280w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=560&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=67b4c5ff96f9968db50c7b6ef0956443 560w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=840&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=027f42f6cd2b28d55685ba181145b986 840w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=1100&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=b25ddf7a891f019c83ab1ff429c7e251 1100w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=1650&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=9651983afebafb030cd194fca687c8a1 1650w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/Td7TaYSzfoMHJ3Sq/docs/images/cdy7uua7fh8z/1qmfCSl7cOugrHIAdxSyAt/6c7d7185920e61809d9423c8e3d4c4f2/Encryption_Keys_-_EN.png?w=2500&fit=max&auto=format&n=Td7TaYSzfoMHJ3Sq&q=85&s=1e5b9c2693ce6e9e8e7f12604fc96652 2500w" />
</Frame>

Select **Upload Key** to begin the import process for your Customer Provided Root Key. This will open the import dialog:

<Frame>
  <img src="https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=05c45da4d9df366dea6350478a639b6b" alt="Dashboard > Settings > Encryption Keys > Upload" data-og-width="629" width="629" data-og-height="462" height="462" data-path="docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=280&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=5f1c089f0ffa3abef558834898ab8463 280w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=560&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=14d0ef2382269039193204706b1dd44b 560w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=840&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=f50e0622c5f9708d7d2779e1fb53fe7d 840w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=1100&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=8849a87a45935961f44845b06d0601a1 1100w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=1650&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=81e0fba32ab5331e194dcb417739bb1e 1650w, https://mintcdn.com/docs-dev-docs-ai-docs-migration-poc/1hui31hA8LtZfr-C/docs/images/cdy7uua7fh8z/1GJPgT1Be7Wm6G6ldCVW4q/96e5a326aa643f29bb50aea76fce27aa/image__2_.png?w=2500&fit=max&auto=format&n=1hui31hA8LtZfr-C&q=85&s=2ace6a8fd6d4d56911be03f325526507 2500w" />
</Frame>

When you select **Upload Key** and then **Download,** it initiates the Bring Your Own Keys  process:

1. Creates a public wrapping key and downloads it to your system.
2. Take the public wrapping key and wrap your own cryptographic material with it using your own key management system to create a Wrapped Encryption Key (the Customer Provided Root Key).
3. Upload your Wrapped Encryption Key and select **Save**.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The Wrapped Encryption Key once uploaded replaces the Auth0 Environment Root Key in the hardware security module (AWS or Azure) as a Customer Provided Root key.
</Callout>

## Cryptographic material requirements

Use your key management system to wrap your own cryptographic material with the public wrapping key and create the Wrapped Encryption Key. Use these settings for the [CKM\_RSA\_AES\_KEY\_WRAP](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226894) algorithm parameters based on your Auth0 Cloud Service Provider (AWS or Azure):

### Auth0 on AWS cloud

* Public wrapping key length: 3072 bits
* Algorithm: CKG\_MGF1\_SHA256
* Temporary AES key length for CKM\_AES\_KEY\_WRAP\_PAD: 256 bits
* Customer provided root key type: 256 bits long AES symmetric key

### Auth0 on Azure cloud

* Public wrapping key length: 2048 bits
* Algorithm: CKG\_MGF1\_SHA-1
* Temporary AES key length for CKM\_AES\_KEY\_WRAP\_PAD: 256 bits
* Customer Provided Root Key type: 2048 bits long RSA private key
* Private key encoding: PKCS #8 - ASN.1 DER
