Egnyte announced a new product today that lets customers control their encryption keys with either a customer-managed offering or a cloud service that requires less heavy lifting and management.

While Egnyte (and all reputable cloud vendors) offer end-to-end encryption, some customers require a greater degree of control of their content. Letting customers manage the encryption keys can give them finer control over security and access to the information stored via the Egynyte services — whether that involves blocking a malicious intruder or responding to a government subpoena.

In a time when the government is trying to compel Apple to break its iPhone encryption, it puts a spotlight on the idea of giving customers control over encryption instead of the vendor.

The customer-managed service is built into the Egnyte admin control panel and it supports a number of third-party key management services including Microsoft Azure Key Vault, Amazon Cloud HSM or a KMIP-compatible on-premises HSM such as SafeNet.

Giving customers an encryption key management choice is consistent with Egnyte’s overall philosophy around storage.

“We have been agnostic over the last couple of years about where our customers store their data. They can keep it in the Egnyte cloud or an AWS S3 bucket or any object store that’s out there. Expanding the scope of HSM choices serves those customers better,” Egnyte co-founder and chief security officer, Kris Lahiri told TechCrunch.

The new key management services have been driven in large part by customer demand, Lahiri said.

“Since Prism/Snowden and other inflection points, it’s been more important for enterprises to get a feeling of control about how they are managing their encryption keys. Regardless who is snooping [or demanding access], it’s about giving customers control,” he said.

That control has the potential to be a double-edged sword however, Lahri explained. If you mess up on the management, it could have serious consequences. That means it’s important to educate the customer and give them the tools to manage their encryption keys properly.

“When the customer takes on the responsibility of managing the encryption keys, it comes with a lot of responsibility because of the fact if you lose access to your HSM or your administrator [somehow] messes it up, this company has lost access to all of its data,” Lahri explained.

He said Egnyte has designed the tool to minimize this risk and walk customers through the process of creating and managing keys themselves if that’s what they want to do. For customers who don’t have the staff or the desire to do it themselves, they can let Egnyte manage that process for them via a cloud service.

Both methods give customers control over the keys, but the cloud service simplifies the setup and management process.

Egnyte is not the first cloud vendor to offer control over encryption keys. Box has had a service in place for about a year, and more recently began offering a managed cloud service using Amazon HSM. Egnyte is trying to differentiate itself by offering a broader set of choices, letting the customer decide which key management vendor to use and whether they want to be in charge of that process or let Egnyte help them.