data.day
encryption / gdpr / cloud-act / infrastructure

“We’re in Frankfurt” — and the Keys Are Still Abroad

Why the 'Region' dropdown menu is the greatest trick Big Tech ever pulled on the public sector.

Sven Civic Sven Civic

Geography is Not Security

The diagram was beautiful. It showed a fortress in Frankfurt, surrounded by a blue wall of GDPR compliance. Inside, our data sat safely, protected from the scary world outside.

“See?” the architect said. “Data residency is guaranteed.”

I pointed to a small, thin line on his diagram connecting the Frankfurt fortress to a cloud icon labeled ‘Global Identity & Access Management (IAM)’.

“What travels on that line?” I asked.

“Just authentication traffic,” he dismissed. “And key management.”

“So,” I corrected him, “The vault is in Frankfurt. But the person holding the key is in Seattle. And every time we open a file, we must ask Seattle for permission.”

He stopped tapping the screen.

The Trap: The Residency Mirage

The industry has spent billions convincing municipal leaders that Residency (where the bits sit) is the same as Sovereignty (who controls the bits).

This is a dangerous lie.

If your data is encrypted at rest in a local data center, but the vendor manages the keys (SSE-S3 or similar managed services), the data is legally resident in the vendor’s home jurisdiction. Under the US CLOUD Act, possession of the key is equivalent to possession of the data.

We are building digital castles on sand. We tick the compliance box because the server is on our continent, ignoring the fact that the command-and-control infrastructure remains foreign. We are not tenants; we are guests in our own house.

[TO EDITOR: A diagram showing a ‘Safe’ in Europe, but a long arm reaching from the US holding the key to open it.]

The Exit Strategy: Segregation of Duties

To regain sovereignty, we must separate the Storage Provider from the Security Provider.

We do not accept “Platform Managed Keys” for sensitive Citizen data. We enforce a strict External Key Management (EKM) policy.

  • The Rule: The entity that stores the data must never possess the ability to decrypt it unilaterally.
  • The Implementation: We host the Hardware Security Module (HSM) in our own municipal basement, or with a trusted local sovereign partner.
  • The Result: When the foreign infrastructure is queried, it sees only chaos. It must request the key from us. We grant it, temporarily, for a specific transaction, and then we revoke it.

If the vendor receives a subpoena, they can truthfully say: “We cannot help you. We do not have the keys.”

That is not just security. That is autonomy.

FAQs

What is a root key?

It is the master key that decrypts all other keys. Whoever holds this controls the data, regardless of where the hard drives sit.

The vendor says they have 'internal controls' preventing access. Is that enough?

Internal controls are company policy. Sovereignty requires physics. Policy can be changed; physics cannot.

Is Bring Your Own Key (BYOK) expensive?

It costs more than surrender. But it costs less than a sovereignty breach.