It says that the customer always gets a fragment of the key , which means it’s safer because while it’s a secrets as a service provider, you still maintain that on your cloud provider(s) and/or data center infrastructure. What I don’t get is how that’s better since your data can be decrypted with only part of the key. Isn’t that just exposing your key material in more places? What makes it inherently better than say, Hashicorp Vault using Shamir secret sharing backed by AWS KMS auto-unseal?

In: Engineering