AWS KMS - Basic concepts
Firstly what is it?
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.
So, with AWS KMS you can store your customer master keys securely.
What are customer master keys (CMKs) then?
Customer master key is the primary resource in AWS KMS (so, it has own ARN). It is a logical representation of a master key. You can create symmetric and asymmetric CMKs. CMKs never leave AWS infrastructure unencrypted. No one from AWS has access to these guys, only you. Your master keys are stored in such devices (hardware security module (HSM)):
You can read more about the cryptographic details here.
Okay, so what can you do with AWS KMS?
AWS managed CMKs
Using AWS managed CMKs you can encrypt/decrypt your data stored on S3 or EBS (it is handled transparently and requires no additional action from you!). If someone steals your (encrypted) data, without access to AWS KMS they can do nothing with this information. Here is a list of AWS Services integrated with AWS KMS.
Customer managed CMKs
You can also use Customer managed CMKs, and integrate it with sops for example. You can generate, encrypt and decrypt data keys using AWS KMS, but you are not forced to generate data keys in AWS KMS. If your tool generates data keys (like sops) you can use AWS KMS to encrypt/decrypt these keys. No problem. But, you have to remember that after creation of data key by AWS KMS, you must care about this key since then. AWS KMS cares only about master keys.
Data keys
Okay... so what are these data keys? 🤔
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
So... basically, with data key you can encrypt and decrypt your data (master key encrypts/decrypts only data key, not data!).
As you can see, AWS KMS can generate data key for you. You will receive plaintext data key and encrypted data key. You can store encrypted data key wherever you want because (you know) it is encrypted and can be decrypted only by your CMK (Customer Master Key), so do not share your AWS credentials for CMK 🙏.
With plaintext data key you can encrypt/decrypt your data and you should throw away this data key through window destroy this key as soon as possible. You should not store this data key anywhere. You need this data key in plaintext form only for a short period of time.
If you want to decrypt your data, you have to decrypt your encrypted data key firstly. How to do that? You need to send your encrypted data key to AWS KMS, AWS uses your CMK, decrypts this encrypted data key and sends you the data key in plaintext form. Now, you can decrypt/encrypt your data using this key. Remember that you should remove this data key (plaintext 😱) as soon as possible.
You never have access to your CMK, I mean, your CMK never leaves AWS infrastructure. You cannot "get" your CMK (that's why it is so secure). You only need to send data key to AWS KMS. This way the whole operation is very fast, you do not have to send the whole data. Encryption/decryption of data is on your side. It is called envelope encryption.
Envelope encryption
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
This way you can store your data key (encrypted of course...) securely where you want. The data key is inherently protected by encryption (your CMK has encrypted it, remember?). Because encryption can be time consuming (if you have a lot of data) it makes more sense to re-encrypt the data key instead of raw data. That's another benefit of envelope encryption.
You can also encrypt the data encryption key by another encryption key, and so on... But, eventually, there must be one key in plaintext so you can decrypt the keys and then your data. And this top-level plaintext key is known as the wrapping/master key.
Data key pairs
Data key pairs are asymmetric data keys that consist of a mathematically-related public key and private key.
Using data key pairs, you get public key, private key in plaintext form and encrypted private key:
When you want to encrypt your data you need to use public key. In most cases, data key pairs are useful when many parties need to encrypt data that only the party that holds the private key can decrypt.
What if someone encrypted something by your public key and now you want to decrypt this data? You only have your encrypted private key. So, for obtaining the private key in plaintext form you must send the encrypted private key to AWS KMS. It will decrypt the encrypted private key and send you the plaintext private key.
And now, you can decrypt your data and remove the plaintext private key as soon as possible! 👏
Digital signatures
What can you also do with data key pairs? You can use them for digital signatures. You sign a message with your private key and this message can be verified by anyone who has access to your public key. This way, a person who verifies your message is sure that you have access to the private key and it is very likely that you are also associated with the public key. Or maybe you stole the private key, did you? 🤔
Here are two diagrams show you how it looks like:
You generate a signature for a message using your private key and put them (the message, the signature and your public key) somewhere on the Internet. Then, anyone with access to your public key can verify that it was signed by your private key and it has not changed since it was signed.
Rotating customer master keys
And the last section! 👏
You can rotate your customer master keys every year.
You cannot do it manually. You need to enable it in AWS KMS and AWS will schedule a yearly rotation for this CMK. After that, every year AWS KMS will generate a new backing key (cryptographic material) for you. You do not have to change anything. All your old backing keys are still there (AWS KMS does not delete any rotated key material until you delete the CMK), so you can still decrypt the data key which was encrypted five years ago for instance. But, any new data key will be encrypted by this new backing key.
Here is a video, if you don't want to read:
Comments
Post a Comment