# Integrating SAP Data Custodian KMS with Amazon KMS SAP Data Custodian Key Management Service enables customer-managed encryption keys for data stored in SAP services. Please note that SAP Data Custodian Key Management Service is not the same as Amazon Key Management Service (KMS). Using Amazon KMS as the keystore in [HYOK (Hold Your Own Key) scenario](https://help.sap.com/docs/sap-data-custodian/key-management-service/amazon-web-services-hyok?locale=en-US), SAP Data Custodian Key Management Service provides a consistent and centralized approach to key management especially if Amazon KMS is already employed for other Amazon workloads, enabling seamless integration, streamlined key lifecycle management, and enhanced security through Amazon robust encryption and access control mechanisms. This integration allows customers to manage and control the encryption keys used to protect their sensitive data, ensuring greater security and compliance. SAP Data Custodian Key Management Service can be interfaced with Amazon KMS in HYOK (Hold Your Own Key) scenario with the following supported key: | Area | Amazon KMS (HYOK Scenario) | | --- | --- | | Supported Key Types and Key Sizes | AES (256), RSA (3072, 4096) | | Key Management | Key is created and stored in Amazon KMS keystore | | Key Revocation | Key can be disabled or unregistered at any time | Below is the SAP KMS integration with Amazon KMS - HYOK ![The SAP KMS integration with KMS - HYOK](http://docs.amazonaws.cn/en_us/sap/latest/general/images/rise-security-hyok.png) In the diagram above: + Key is created in Amazon KMS keystore + Key is stored in Amazon KMS and retrieved by SAP KMS when required + SAP KMS encrypts SAP data at application level