AWS KMS - Basic concepts

Firstly what is it?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.

So, with AWS KMS you can store your customer master keys securely.

What are customer master keys (CMKs) then?

Customer master key is the primary resource in AWS KMS (so, it has own ARN). It is a logical representation of a master key. You can create symmetric and asymmetric CMKs. CMKs never leave AWS infrastructure unencrypted. No one from AWS has access to these guys, only you. Your master keys are stored in such devices (hardware security module (HSM)):

You can read more about the cryptographic details here.

Okay, so what can you do with AWS KMS?

AWS managed CMKs

Using AWS managed CMKs you can encrypt/decrypt your data stored on S3 or EBS (it is handled transparently and requires no additional action from you!). If someone steals your (encrypted) data, without access to AWS KMS they can do nothing with this information. Here is a list of AWS Services integrated with AWS KMS.

Customer managed CMKs

You can also use Customer managed CMKs, and integrate it with sops for example. You can generate, encrypt and decrypt data keys using AWS KMS, but you are not forced to generate data keys in AWS KMS. If your tool generates data keys (like sops) you can use AWS KMS to encrypt/decrypt these keys. No problem. But, you have to remember that after creation of data key by AWS KMS, you must care about this key since then. AWS KMS cares only about master keys.

Data keys

Okay... so what are these data keys? 🤔

Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.

So... basically, with data key you can encrypt and decrypt your data (master key encrypts/decrypts only data key, not data!).

As you can see, AWS KMS can generate data key for you. You will receive plaintext data key and encrypted data key. You can store encrypted data key wherever you want because (you know) it is encrypted and can be decrypted only by your CMK (Customer Master Key), so do not share your AWS credentials for CMK 🙏.

With plaintext data key you can encrypt/decrypt your data and you should throw away this data key through window destroy this key as soon as possible. You should not store this data key anywhere. You need this data key in plaintext form only for a short period of time.

If you want to decrypt your data, you have to decrypt your encrypted data key firstly. How to do that? You need to send your encrypted data key to AWS KMS, AWS uses your CMK, decrypts this encrypted data key and sends you the data key in plaintext form. Now, you can decrypt/encrypt your data using this key. Remember that you should remove this data key (plaintext 😱) as soon as possible.

You never have access to your CMK, I mean, your CMK never leaves AWS infrastructure. You cannot "get" your CMK (that's why it is so secure). You only need to send data key to AWS KMS. This way the whole operation is very fast, you do not have to send the whole data. Encryption/decryption of data is on your side. It is called envelope encryption.

Envelope encryption

Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

This way you can store your data key (encrypted of course...) securely where you want. The data key is inherently protected by encryption (your CMK has encrypted it, remember?). Because encryption can be time consuming (if you have a lot of data) it makes more sense to re-encrypt the data key instead of raw data. That's another benefit of envelope encryption.

You can also encrypt the data encryption key by another encryption key, and so on... But, eventually, there must be one key in plaintext so you can decrypt the keys and then your data. And this top-level plaintext key is known as the wrapping/master key.

Data key pairs

Data key pairs are asymmetric data keys that consist of a mathematically-related public key and private key.

Using data key pairs, you get public key, private key in plaintext form and encrypted private key:

When you want to encrypt your data you need to use public key. In most cases, data key pairs are useful when many parties need to encrypt data that only the party that holds the private key can decrypt.

What if someone encrypted something by your public key and now you want to decrypt this data? You only have your encrypted private key. So, for obtaining the private key in plaintext form you must send the encrypted private key to AWS KMS. It will decrypt the encrypted private key and send you the plaintext private key.

And now, you can decrypt your data and remove the plaintext private key as soon as possible! 👏

Digital signatures

What can you also do with data key pairs? You can use them for digital signatures. You sign a message with your private key and this message can be verified by anyone who has access to your public key. This way, a person who verifies your message is sure that you have access to the private key and it is very likely that you are also associated with the public key. Or maybe you stole the private key, did you? 🤔

Here are two diagrams show you how it looks like:

You generate a signature for a message using your private key and put them (the message, the signature and your public key) somewhere on the Internet. Then, anyone with access to your public key can verify that it was signed by your private key and it has not changed since it was signed.

Rotating customer master keys

And the last section! 👏

You can rotate your customer master keys every year.

You cannot do it manually. You need to enable it in AWS KMS and AWS will schedule a yearly rotation for this CMK. After that, every year AWS KMS will generate a new backing key (cryptographic material) for you. You do not have to change anything. All your old backing keys are still there (AWS KMS does not delete any rotated key material until you delete the CMK), so you can still decrypt the data key which was encrypted five years ago for instance. But, any new data key will be encrypted by this new backing key.

Here is a video, if you don't want to read:


 

Comments

Post a Comment

Popular posts from this blog

GitLab - extends keyword

Image
In the previous post I had written about the include keyword. Now, let's dive in the extends  keyword. What can you do with this? Here is the definition from GitLab documentation: extends defines entry names that a job that uses extends inherits from. It’s an alternative to using YAML anchors and is a little more flexible and readable. So, when is it useful? It is useful when you want to be DRY and keep your setup cleanly. Let's assume that you want to build a docker image and give developers possibility to deploy the image on dev , staging and prod environments. We are going to do that without the extends keyword, and after that we will think how we can do it better. Example without the extends  keyword: As you can see, there is a lot of code which repeats itself: stage, image, when  and script . We can remove a lot of code! So, let's do that. We are going to create a hidden job .deploy  (you will not see this job in a pipeline) and the rest of the jobs will in
Read more

GitLab - trigger keyword

Image
 We are going to talk about the trigger keyword today. With this feature you can define a downstream pipeline trigger. So, you can trigger a pipeline in any project (you must have access to this project of course). There are two types of downstream pipelines: multi-project pipelines child pipelines  Let's omit child pipelines and have a look at multi-project pipelines. It is very easy to use. You just need to provide a path to the project and that's it. Remember that you only can trigger a pipeline, not a job ! You can also provide more information like environment variables. As always, I am going to provide some examples, so you will understand it better. The first example: you want to trigger a pipeline in another project after the deployment of your service/s. How to do that? Here we want to trigger this pipeline (project my/run-tests ). Let's say that we want to run some tests after each deployment: We need to add the job which will trigger this pipeline in my/run-
Read more

Managing Secrets in GitLab / Git

Image
Let's say that you have to log in via ssh into an instance, and you work with GitLab, so you want to keep the private key in GitLab somewhere. Is it secure? Let's see! Custom environment variables You can use custom environment variables. Here you can read more about them (Developers cannot change them, only Maintainers and Owners can). There are two types of variables: Variable (the runner creates an environment variable that uses the key for the name and the value for the value) File (the runner creates an environment variable that uses the key for the name. For the value, the runner writes the variable value to a temporary file and uses this path) It seems that we can use File type for our purpose. We can set up it via API or UI . So, let's do that! Go to project's Settings > CI/CD . There will be Variables section (btw, you can specify variables also per group and even for all projects (in admin panel)). Click Add Variable button and add a variable: Key:
Read more