Overview

Enterprise Key Management (EKM) allows OpenAI to encrypt data using a master key that you control. This document shows how to set up your AWS account to give OpenAI limited permissions on your KMS.

Steps

1. Create a new KMS key

1. Go to KMS -> Customer managed keys, then click Create Key.

2. Select a symmetric encryption algorithm.

3. After your key is created, note its ARN. Supported formats include arn:aws:kms:<region>:<account_number>:key/<uuid>, ...:key/mrk-*, or ...:alias/<alias_name>.

2. Create a custom policy for limited access to the KMS key

1. Go to IAM -> Policies, then click Create Policy.

2. In the Specify permissions step, select JSON and enter the following to give the policy KMS access actions. Make sure you replace YOUR_KMS_ARN with the ARN of the Key you created.

3. Create an IAM Role for OpenAI to assume, and assign it to the policy with limited access to your KMS

OpenAI will call AssumeRole from an OpenAI-owned AWS account. This step lets OpenAI's AWS principal assume the limited role for accessing your KMS.

1. Go to IAM -> Roles, then click Create Role.

2. In the Select trusted entity step, select Custom trust policy.

Next, enter the following in the Custom trust policy to allow access to OpenAI's AWS principal.

• The principal is OpenAI's AWS principal: arn:aws:iam::790389265272:role/EnterpriseKeyManagement.

• Indicate which ExternalId OpenAI should pass during the AssumeRole process.

  • For ChatGPT or API, use the organization ID (org-xxx) associated with your workspace: https://platform.api.openai.org/settings/organization/general.

  • For API, you can use a specific API project ID for more granularity.

Then, in the Add permissions step, search for the policy name of the IAM policy you created in the previous step. Click the checkbox next to the policy name, then click Next.

Finally, in the Name, review, and create section, select any role name.

4. Apply any additional restrictions in line with your own security practices

Above is the minimum required information OpenAI needs to set up EKM. You are free to apply additional key policies or restrictions in line with your own internal security practices, as long as OpenAI is able to call encrypt and decrypt operations on your KMS. When you call the key registration endpoint with OpenAI that's described below, we will validate your setup.

After completing the above steps

ChatGPT Enterprise

Please reach out to your OpenAI contact and share the following:

• "role_arn": "arn:aws:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>"

  • The Role ARN that OpenAI will assume in your cloud.

• "kms_arn": "arn:aws:kms:<REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:key/<UUID>"

  • The Key Management System ARN for the master key you manage.

We will enable EKM for your ChatGPT organization/workspace.

API

Register your external key with OpenAI

Follow the instructions in this API reference: External Keys in the Management API.

1. First, register your external key at the OpenAI organization level, which will generate an external key ID.

2. In this step, we will validate that your input is valid and that we can authenticate to your KMS.

3. This won't add EKM to your OpenAI project yet.

Then, create an OpenAI project associated with the external key. After this, EKM is activated on your project. The response body of this API call will give you the project ID (proj_xxx).