Bring your own KMS keys
You can now import your own AWS KMS keys to encrypt the credentials stored in Metorial Vault. By default Vault manages encryption for you; with KMS you take ownership of the keys, so secrets are encrypted under keys only you control. Every operation involving a KMS-protected secret is logged and auditable.