data.day

How We Demand Local Key Control Without Sounding Paranoid

You don't need a tinfoil hat to demand encryption custody. You just need the right contract language. Here is how to frame the request.

The Art of the “Diplomatic No”

I was reviewing a contract for a new health platform. The vendor was excellent, the features were robust, and the price was right.

“We just need you to sign off on the encryption standard,” the account executive said. “We use AES-256 managed by our global security team.”

“That is unacceptable to the municipality,” I replied.

“Why?” he laughed nervously. “Do you think we’re going to steal the data?”

“I think you are a business subject to market forces and foreign laws,” I said. “I do not deal in trust. I deal in verification. We require Customer Managed Keys (CMK) with a Key Access Justification log.”

He stopped laughing. “That’s an enterprise feature. It’s complicated.”

“We are a government. We are comfortable with complexity.”

The Dependency: The “Trust Us” Model

Vendors frame local key control as an unnecessary burden. They will tell you it breaks features (it rarely does). They will tell you it reduces reliability (it effectively shifts responsibility).

Their goal is to keep you in the “Trust Us” model. In this model, their internal administrators have root access to your environment to “troubleshoot.”

We must view every “internal admin” at a vendor as a foreign agent. Not because they are malicious, but because they are outside our chain of command. If an admin in a support center in a third country can decrypt a file to fix a bug, our digital border has been crossed.

The Sovereign Choice: Contractual precision

We do not argue about feelings. We argue about Risk Statutes. When negotiating, use this specific language:

  1. “Jurisdictional Containment”: Do not say “I don’t trust you.” Say: “Our regulatory framework requires that cryptographic material never leaves the legal jurisdiction of the Municipality.” This frames it as a compliance issue, not a personal insult.
  2. “Break-Glass Protocol”: Demand a clause that defines exactly who can access the keys in an emergency, and require that every access event generates an immutable log entry sent to our SIEM (security monitor).
  3. “The Kill Switch”: We demand the technical capability to revoke the key encryption key (KEK) instantly. If we suspect a breach or a geopolitical shift, we must be able to “go dark” immediately.

If the vendor refuses these terms, they are admitting that their business model relies on owning your data. At that point, the negotiation is over. We do not subsidize our own colonization.

FAQs

Does this slow down the software?

It introduces milliseconds of latency. Democracy is often slower than tyranny; it is a price we pay for freedom.

Will vendors walk away?

Big Tech might. Boutique, sovereignty-focused vendors will welcome you. We must support the latter.

Is this only for Top Secret data?

No. It is for any data where the breach of trust would harm a Citizen. That includes housing, health, and education.